fix: require login to view runs and cache in UI

- Runs list now requires login, shows only user's own runs - Cache list now requires login to view 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-07 18:02:34 +00:00
parent fb354d8afe
commit e01db2ed26
1 changed files with 12 additions and 8 deletions
--- a/server.py
+++ b/server.py
@@ -836,16 +836,16 @@ async def ui_runs(request: Request):
    current_user = get_user_from_cookie(request)
    runs = list_all_runs()

-    # Filter runs by user if logged in
-    # Match both plain username and ActivityPub format (@user@domain)
-    if current_user:
-        actor_id = f"@{current_user}@{L2_DOMAIN}"
-        runs = [r for r in runs if r.username in (current_user, actor_id)]
+    # Require login to see runs
+    if not current_user:
+        return '<p class="no-runs"><a href="/ui/login">Login</a> to see your runs.</p>'
+
+    # Filter runs by user - match both plain username and ActivityPub format (@user@domain)
+    actor_id = f"@{current_user}@{L2_DOMAIN}"
+    runs = [r for r in runs if r.username in (current_user, actor_id)]

    if not runs:
-        if current_user:
-            return '<p class="no-runs">You have no runs yet. Use the CLI to start a run.</p>'
-        return '<p class="no-runs">No runs yet. <a href="/ui/login">Login</a> to see your runs.</p>'
+        return '<p class="no-runs">You have no runs yet. Use the CLI to start a run.</p>'

    html_parts = ['<div class="runs">']

@@ -923,6 +923,10 @@ async def ui_cache_list(request: Request):
    """HTMX partial: list of cached items."""
    current_user = get_user_from_cookie(request)

+    # Require login to see cache
+    if not current_user:
+        return '<p class="no-runs"><a href="/ui/login">Login</a> to see cached content.</p>'
+
    # Get all cached files
    cache_items = []
    if CACHE_DIR.exists():