diff --git a/backend/internal/api/handlers/settings_handler.go b/backend/internal/api/handlers/settings_handler.go index 8d39ad43..935cd9d8 100644 --- a/backend/internal/api/handlers/settings_handler.go +++ b/backend/internal/api/handlers/settings_handler.go @@ -532,6 +532,10 @@ type SMTPConfigRequest struct { // GetSMTPConfig returns the current SMTP configuration. func (h *SettingsHandler) GetSMTPConfig(c *gin.Context) { + if !requireAdmin(c) { + return + } + config, err := h.MailService.GetSMTPConfig() if err != nil { c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch SMTP configuration"}) diff --git a/backend/internal/api/handlers/settings_handler_test.go b/backend/internal/api/handlers/settings_handler_test.go index 34d1b9ac..f36a28d3 100644 --- a/backend/internal/api/handlers/settings_handler_test.go +++ b/backend/internal/api/handlers/settings_handler_test.go @@ -999,6 +999,25 @@ func TestSettingsHandler_GetSMTPConfig_DatabaseError(t *testing.T) { assert.Equal(t, http.StatusInternalServerError, w.Code) } +func TestSettingsHandler_GetSMTPConfig_NonAdminForbidden(t *testing.T) { + gin.SetMode(gin.TestMode) + handler, _ := setupSettingsHandlerWithMail(t) + + router := gin.New() + router.Use(func(c *gin.Context) { + c.Set("role", "user") + c.Set("userID", uint(2)) + c.Next() + }) + router.GET("/api/v1/settings/smtp", handler.GetSMTPConfig) + + w := httptest.NewRecorder() + req, _ := http.NewRequest("GET", "/api/v1/settings/smtp", http.NoBody) + router.ServeHTTP(w, req) + + assert.Equal(t, http.StatusForbidden, w.Code) +} + func TestSettingsHandler_UpdateSMTPConfig_NonAdmin(t *testing.T) { gin.SetMode(gin.TestMode) handler, _ := setupSettingsHandlerWithMail(t) diff --git a/backend/internal/api/routes/routes.go b/backend/internal/api/routes/routes.go index 267ac7c5..9dd443b6 100644 --- a/backend/internal/api/routes/routes.go +++ b/backend/internal/api/routes/routes.go @@ -277,7 +277,7 @@ func RegisterWithDeps(router *gin.Engine, db *gorm.DB, cfg config.Config, caddyM protected.PATCH("/config", settingsHandler.PatchConfig) // Bulk configuration update // SMTP Configuration - protected.GET("/settings/smtp", settingsHandler.GetSMTPConfig) + protected.GET("/settings/smtp", middleware.RequireRole("admin"), settingsHandler.GetSMTPConfig) protected.POST("/settings/smtp", settingsHandler.UpdateSMTPConfig) protected.POST("/settings/smtp/test", settingsHandler.TestSMTPConfig) protected.POST("/settings/smtp/test-email", settingsHandler.SendTestEmail)