fix: Check headers for users listing

Add DEBUG key in settings

config/website.py.sample

@@ -1,5 +1,8 @@
 APP_NAME = "Vulnerability Lookup" # Mandatory for the QRCode of the 2FA
 
+# Set it to True to run flask in debug mode. **do not do that in prod**
+DEBUG = False
+
 BOOTSTRAP_SERVE_LOCAL =  True
 SESSION_COOKIE_NAME = "vulnerability-lookup"
 

website/web/api/v1/user.py

@@ -13,7 +13,7 @@
 from website.models import User
 from website.notifications import notifications
 from website.web.bootstrap import db
-from website.web.api.v1.common import metada_params_model
+from website.web.api.v1.common import auth_func, metada_params_model
 from website.web.api.v1.types import ResultType
 from website.web.permissions import admin_permission
 
@@ -82,6 +82,7 @@ class UsersList(Resource):  # type: ignore[misc]
         }
     )  # type: ignore[misc]
     @user_ns.marshal_list_with(user_list_fields)  # type: ignore[misc]
+    @auth_func
     @admin_permission.require(http_exception=403)  # type: ignore[misc]
     def get(self) -> Tuple[ResultType, int]:
         """List all users. Only available to administrators."""
@@ -137,7 +138,7 @@ def post(self) -> Tuple[Dict[Any, Any], int]:
             return abort(400, f"{e}")
         except exc.IntegrityError:
             db.session.rollback()
-            return abort(400, f"Impossible to create the user.")
+            return abort(400, "Impossible to create the user.")
 
         # Send the confirmation email
         try:

website/web/bootstrap.py

@@ -81,6 +81,8 @@ def set_logging(
 application.config["SECURITY_PASSWORD_SALT"] = get_security_password_salt()
 application.config["PUBLIC_DOMAIN"] = get_config("generic", "public_domain")
 
+if application.config.get("DEBUG", False):
+    application.debug = True
 
 Bootstrap5(application)