Set "Bypass admin page security" as read-only - vw_small

commit b141f789f6905006bcf07546223bc632b453e421
parent 7a7673103fb180098f18abe77b75ba085710b559
Author: BlackDex <black.dex@gmail.com>
Date:   Mon, 14 Nov 2022 17:14:50 +0100

Set "Bypass admin page security" as read-only

It was possible to disable the admin security via the admin interface.
This is kinda insecure as mentioned in #2761.

This PR set this value as read-only and admin's need to set the correct ENV variable.
Currently saved settings which do override this are still valid though.
If an admin want's this removed, they either need to reset the config,
or change the value in the `config.json` file.

Fixes #2761

Diffstat:
M src/config.rs  | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/config.rs b/src/config.rs
@@ -533,7 +533,7 @@ make_config! {
         database_conn_init:     String, false,  def,    String::new();
 
         /// Bypass admin page security (Know the risks!) |> Disables the Admin Token for the admin page so you may use your own auth in-front
-        disable_admin_token:    bool,   true,   def,    false;
+        disable_admin_token:    bool,   false,  def,    false;
 
         /// Allowed iframe ancestors (Know the risks!) |> Allows other domains to embed the web vault into an iframe, useful for embedding into secure intranets
         allowed_iframe_ancestors: String, true, def,    String::new();

	vw_small Hardened fork of Vaultwarden (https://github.com/dani-garcia/vaultwarden) with fewer features.
	git clone https://git.philomathiclife.com/repos/vw_small
	Log \| Files \| Refs \| README