From 9628c305bc84cfe8a93e3379e930df8bb60e89e6 Mon Sep 17 00:00:00 2001
From: GitHub Actions <actions@github.com>
Date: Fri, 13 Feb 2026 07:55:22 +0000
Subject: [PATCH] fix: update admin security control plane request check to
 include settings and config paths

---
 backend/internal/cerberus/rate_limit.go      |  4 ++-
 backend/internal/cerberus/rate_limit_test.go | 29 ++++++++++++++++++++
 2 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/backend/internal/cerberus/rate_limit.go b/backend/internal/cerberus/rate_limit.go
index 5b483210..39c22d4d 100644
--- a/backend/internal/cerberus/rate_limit.go
+++ b/backend/internal/cerberus/rate_limit.go
@@ -32,7 +32,9 @@ func isAdminSecurityControlPlaneRequest(ctx *gin.Context) bool {
 		}
 	}
 
-	return strings.HasPrefix(parsedPath, "/api/v1/security/")
+	return strings.HasPrefix(parsedPath, "/api/v1/security/") ||
+		strings.HasPrefix(parsedPath, "/api/v1/settings") ||
+		strings.HasPrefix(parsedPath, "/api/v1/config")
 }
 
 // rateLimitManager manages per-IP rate limiters.
diff --git a/backend/internal/cerberus/rate_limit_test.go b/backend/internal/cerberus/rate_limit_test.go
index ed87e118..c170453c 100644
--- a/backend/internal/cerberus/rate_limit_test.go
+++ b/backend/internal/cerberus/rate_limit_test.go
@@ -392,6 +392,35 @@ func TestCerberusRateLimitMiddleware_AdminSecurityControlPlaneBypass(t *testing.
 	}
 }
 
+func TestCerberusRateLimitMiddleware_AdminSettingsBypass(t *testing.T) {
+	cfg := config.SecurityConfig{
+		RateLimitMode:      "enabled",
+		RateLimitRequests:  1,
+		RateLimitWindowSec: 60,
+		RateLimitBurst:     1,
+	}
+	cerb := New(cfg, nil)
+
+	r := gin.New()
+	r.Use(func(c *gin.Context) {
+		c.Set("role", "admin")
+		c.Set("userID", uint(1))
+		c.Next()
+	})
+	r.Use(cerb.RateLimitMiddleware())
+	r.POST("/api/v1/settings", func(c *gin.Context) {
+		c.Status(http.StatusOK)
+	})
+
+	for i := 0; i < 3; i++ {
+		req, _ := http.NewRequest("POST", "/api/v1/settings", nil)
+		req.RemoteAddr = "10.0.0.1:1234"
+		w := httptest.NewRecorder()
+		r.ServeHTTP(w, req)
+		assert.Equal(t, http.StatusOK, w.Code)
+	}
+}
+
 func TestCerberusRateLimitMiddleware_AdminNonSecurityPathStillLimited(t *testing.T) {
 	cfg := config.SecurityConfig{
 		RateLimitMode:      "enabled",