From f0cf69b4bdb5cb0ad3f9c154dc6249b046b8b79a Mon Sep 17 00:00:00 2001
From: root <root@island37.com>
Date: Thu, 26 Mar 2026 05:23:01 -0500
Subject: [PATCH] Fix NameError: ADMIN_WRITE_ROUTES renamed to
 DEMO_BLOCKED_POSTS

before_request handler still referenced old variable name.
Updated to use DEMO_BLOCKED_POSTS with simpler path-in-set check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 llm_team_ui.py | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/llm_team_ui.py b/llm_team_ui.py
index 77dc365..3f368d9 100644
--- a/llm_team_ui.py
+++ b/llm_team_ui.py
@@ -174,11 +174,10 @@ def security_checks():
     if path.startswith("/static"):
         return
 
-    # In demo mode, block admin write routes for non-admins
-    if is_demo() and not is_admin():
-        for route, methods in ADMIN_WRITE_ROUTES.items():
-            if path == route and request.method in methods:
-                return jsonify({"error": "demo mode: admin settings are read-only", "demo": True}), 403
+    # In demo mode, block destructive writes for non-admins
+    if is_demo() and not is_admin() and request.method == "POST":
+        if path in DEMO_BLOCKED_POSTS:
+            return jsonify({"error": "demo mode: read-only", "demo": True}), 403
 
 
 @app.after_request