mirror of
https://github.com/DRYTRIX/TimeTracker.git
synced 2026-01-15 00:29:29 -06:00
bde61c7f5d
Fix multiple permission and role-related issues:
1. Gantt chart access: Replace is_admin check with view_projects permission
- Users with custom roles having view_projects permission can now access
Gantt charts, not just admins
- Updated app/routes/gantt.py to check permissions properly
2. Task view filtering: Replace is_admin check with view_all_tasks permission
- Users with custom roles having view_all_tasks permission can now see
all tasks in the Tasks view, not just admins
- Updated app/services/task_service.py to accept has_view_all_tasks parameter
- Updated app/routes/tasks.py list_tasks and export_tasks to use permission check
3. Role assignment security: Prevent privilege escalation
- Added is_super_admin property to User model
- Only super_admins can assign super_admin role to users
- Only super_admins can remove admin role from themselves or others
- Prevents admins from escalating privileges or removing admin access
- Updated app/routes/permissions.py manage_user_roles with validation
4. Version display consistency: Ensure consistent version display
- Added APP_VERSION environment variable to docker-compose.example.yml
- Ensures version is displayed consistently when using pre-built images
All changes maintain backward compatibility and follow the existing
permission system architecture.
82 lines
2.8 KiB
YAML
82 lines
2.8 KiB
YAML
services:
|
|
app:
|
|
image: ghcr.io/drytrix/timetracker:latest
|
|
container_name: timetracker-app
|
|
environment:
|
|
- TZ=${TZ:-Europe/Brussels}
|
|
- CURRENCY=${CURRENCY:-EUR}
|
|
- ROUNDING_MINUTES=${ROUNDING_MINUTES:-1}
|
|
- SINGLE_ACTIVE_TIMER=${SINGLE_ACTIVE_TIMER:-true}
|
|
- ALLOW_SELF_REGISTER=${ALLOW_SELF_REGISTER:-true}
|
|
- IDLE_TIMEOUT_MINUTES=${IDLE_TIMEOUT_MINUTES:-30}
|
|
- ADMIN_USERNAMES=${ADMIN_USERNAMES:-admin}
|
|
# Security (required in production)
|
|
- SECRET_KEY=${SECRET_KEY}
|
|
# Version (inherited from image, but can be overridden)
|
|
- APP_VERSION=${APP_VERSION:-}
|
|
# Database (bundled Postgres)
|
|
- DATABASE_URL=postgresql+psycopg2://timetracker:timetracker@db:5432/timetracker
|
|
# CSRF & cookies (safe for HTTP local; tighten for HTTPS)
|
|
- WTF_CSRF_ENABLED=${WTF_CSRF_ENABLED:-true}
|
|
- WTF_CSRF_TIME_LIMIT=${WTF_CSRF_TIME_LIMIT:-3600}
|
|
- WTF_CSRF_SSL_STRICT=${WTF_CSRF_SSL_STRICT:-false}
|
|
- SESSION_COOKIE_SECURE=${SESSION_COOKIE_SECURE:-false}
|
|
- REMEMBER_COOKIE_SECURE=${REMEMBER_COOKIE_SECURE:-false}
|
|
- CSRF_COOKIE_SECURE=${CSRF_COOKIE_SECURE:-false}
|
|
- CSRF_COOKIE_HTTPONLY=${CSRF_COOKIE_HTTPONLY:-false}
|
|
- CSRF_COOKIE_SAMESITE=${CSRF_COOKIE_SAMESITE:-Lax}
|
|
- CSRF_COOKIE_NAME=${CSRF_COOKIE_NAME:-XSRF-TOKEN}
|
|
- SESSION_COOKIE_SAMESITE=${SESSION_COOKIE_SAMESITE:-Lax}
|
|
- PREFERRED_URL_SCHEME=${PREFERRED_URL_SCHEME:-http}
|
|
# Analytics (optional)
|
|
- SENTRY_DSN=${SENTRY_DSN:-}
|
|
- SENTRY_TRACES_RATE=${SENTRY_TRACES_RATE:-0.0}
|
|
- POSTHOG_API_KEY=${POSTHOG_API_KEY:-}
|
|
- POSTHOG_HOST=${POSTHOG_HOST:-https://app.posthog.com}
|
|
- ENABLE_TELEMETRY=${ENABLE_TELEMETRY:-false}
|
|
- TELE_SALT=${TELE_SALT:-}
|
|
ports:
|
|
- "8080:8080"
|
|
volumes:
|
|
- app_data:/data
|
|
- app_uploads:/app/app/static/uploads
|
|
- ./logs:/app/logs
|
|
depends_on:
|
|
db:
|
|
condition: service_healthy
|
|
restart: unless-stopped
|
|
healthcheck:
|
|
test: ["CMD", "curl", "-f", "-s", "-o", "/dev/null", "http://localhost:8080/_health"]
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
start_period: 40s
|
|
|
|
db:
|
|
image: postgres:16-alpine
|
|
container_name: timetracker-db
|
|
environment:
|
|
- POSTGRES_DB=${POSTGRES_DB:-timetracker}
|
|
- POSTGRES_USER=${POSTGRES_USER:-timetracker}
|
|
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-timetracker}
|
|
- TZ=${TZ:-Europe/Brussels}
|
|
volumes:
|
|
- db_data:/var/lib/postgresql/data
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "pg_isready -U $$POSTGRES_USER -d $$POSTGRES_DB"]
|
|
interval: 10s
|
|
timeout: 5s
|
|
retries: 5
|
|
start_period: 30s
|
|
restart: unless-stopped
|
|
|
|
volumes:
|
|
app_data:
|
|
driver: local
|
|
app_uploads:
|
|
driver: local
|
|
db_data:
|
|
driver: local
|
|
|
|
|