From 62faf6cddfe8ff164a439fc52b2584926a03c2a0 Mon Sep 17 00:00:00 2001 From: Florian Brandes Date: Tue, 9 Apr 2024 15:34:34 +0200 Subject: [PATCH] pgadmin4: fix CSRF issue Without the downgrade of flask-security-too to 5.4.1 pgadmin4 is unusable, because one cannot login. Alternatively one could disable CSRF altogether with the module. This would still make the desktop version unusable and impact security. Therefore flask-security-too is being downgraded. Signed-off-by: Florian Brandes --- pkgs/tools/admin/pgadmin/default.nix | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/pkgs/tools/admin/pgadmin/default.nix b/pkgs/tools/admin/pgadmin/default.nix index 3092eba0d37e..2e5ee6d574f2 100644 --- a/pkgs/tools/admin/pgadmin/default.nix +++ b/pkgs/tools/admin/pgadmin/default.nix @@ -26,7 +26,18 @@ let # keep the scope, as it is used throughout the derivation and tests # this also makes potential future overrides easier - pythonPackages = python3.pkgs.overrideScope (final: prev: rec { }); + pythonPackages = python3.pkgs.overrideScope (final: prev: rec { + # Flask 5.4.3 introduces an CSRF error which makes it impossible to login + # So either we downgrade flask here or use "WTF_CSRF_ENABLED = false" in the + # module config to disable CSRF. + flask-security-too = prev.flask-security-too.overridePythonAttrs (oldAttrs: rec { + version = "5.4.1"; + src = oldAttrs.src.override { + inherit version; + hash = "sha256-Ay7+gk+zuUlXtw0LDdsnvSa22z+yE6VR1guu9QmiFvw="; + }; + }); + }); offlineCache = fetchYarnDeps { yarnLock = ./yarn.lock;