Fix showcase toggle: remove /api/demo/toggle from blocked POSTs

The demo toggle route was in DEMO_BLOCKED_POSTS, so once showcase was enabled, the before_request handler blocked the toggle POST even for admins (the before_request check ran before the route's own admin check could verify the session). Fix: removed /api/demo/toggle from blocked list. The route already has its own admin-only check (line 460). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 05:24:45 -05:00 · 2026-03-26 05:24:45 -05:00 · 732f29d836
commit 732f29d836
parent f0cf69b4bd
1 changed files with 2 additions and 1 deletions
--- a/llm_team_ui.py
+++ b/llm_team_ui.py
@ -78,9 +78,10 @@ DEMO_ALLOWED_POSTS = {
 }

 # Routes that demo users CANNOT touch (destructive writes)
+# Note: /api/demo/toggle is NOT blocked here — it has its own admin check
 DEMO_BLOCKED_POSTS = {
    "/api/admin/config", "/api/admin/test-provider", "/api/admin/security/ban",
-    "/api/admin/security/mass-ban", "/api/demo/toggle", "/api/demo/allowlist",
+    "/api/admin/security/mass-ban", "/api/demo/allowlist",
    "/api/runs/bulk-archive", "/api/meta-pipeline",
 }