From 732f29d83648f833c478f9027fccd5715ade7b0f Mon Sep 17 00:00:00 2001
From: root <root@island37.com>
Date: Thu, 26 Mar 2026 05:24:45 -0500
Subject: [PATCH] Fix showcase toggle: remove /api/demo/toggle from blocked
 POSTs

The demo toggle route was in DEMO_BLOCKED_POSTS, so once showcase
was enabled, the before_request handler blocked the toggle POST
even for admins (the before_request check ran before the route's
own admin check could verify the session).

Fix: removed /api/demo/toggle from blocked list. The route already
has its own admin-only check (line 460).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 llm_team_ui.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/llm_team_ui.py b/llm_team_ui.py
index 3f368d9..5e258f6 100644
--- a/llm_team_ui.py
+++ b/llm_team_ui.py
@@ -78,9 +78,10 @@ DEMO_ALLOWED_POSTS = {
 }
 
 # Routes that demo users CANNOT touch (destructive writes)
+# Note: /api/demo/toggle is NOT blocked here — it has its own admin check
 DEMO_BLOCKED_POSTS = {
     "/api/admin/config", "/api/admin/test-provider", "/api/admin/security/ban",
-    "/api/admin/security/mass-ban", "/api/demo/toggle", "/api/demo/allowlist",
+    "/api/admin/security/mass-ban", "/api/demo/allowlist",
     "/api/runs/bulk-archive", "/api/meta-pipeline",
 }