fix(auth): register /settings/oidc route for admins only

Non-admins fall through to the catch-all redirect instead of seeing the OIDC settings page shell. Sidebar link, in-page guard and the admin-only backend API remain as defense in depth. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-17 20:33:28 +01:00
parent 8cac6951d7
commit ba55fee9d5
1 changed files with 1 additions and 1 deletions
--- a/src/App.tsx
+++ b/src/App.tsx
@@ -136,7 +136,7 @@ export default function App() {
            <Route path="/roles" element={<RoleEditorPage />} />
            <Route path="/users" element={<UsersPage />} />
            <Route path="/monitor" element={<MonitorPage />} />
-            <Route path="/settings/oidc" element={<OidcSettingsPage />} />
+            {user?.is_admin && <Route path="/settings/oidc" element={<OidcSettingsPage />} />}
            <Route path="/oidc/callback" element={<OidcCallbackPage onToken={loginWithToken} />} />
            <Route path="*" element={<Navigate to="/" />} />
          </Routes>