refactor: some productionization changes

1 files changed, 16 insertions, 1 deletions

diff --git a/shim_app.py b/shim_app.py
index 2e9bcdd..b84128c 100644
--- a/shim_app.py
+++ b/shim_app.py
@@ -693,6 +693,15 @@ def env_float(name: str, default: float, minimum: float) -> float:
     return max(value, minimum)
 
 
+def env_bool(name: str, default: bool) -> bool:
+    raw = os.getenv(name, "true" if default else "false").strip().lower()
+    if raw in {"1", "true", "yes", "on"}:
+        return True
+    if raw in {"0", "false", "no", "off"}:
+        return False
+    return default
+
+
 def create_app(base_dir: Optional[Path] = None) -> Flask:
     project_dir = Path(base_dir or Path(__file__).parent).resolve()
     app_name = os.getenv("SHIM_APP_NAME", "shim").strip() or "shim"
@@ -737,6 +746,7 @@ def create_app(base_dir: Optional[Path] = None) -> Flask:
     sqlite_wal_autocheckpoint_pages = env_int(
         "SHIM_SQLITE_WAL_AUTOCHECKPOINT_PAGES", 1000, 100
     )
+    enforce_app_request_guards = env_bool("SHIM_ENFORCE_APP_REQUEST_GUARDS", False)
 
     cookie_secure_mode = os.getenv("SHIM_COOKIE_SECURE", "auto").strip().lower()
     if cookie_secure_mode not in {"auto", "true", "false"}:
@@ -1031,7 +1041,12 @@ def create_app(base_dir: Optional[Path] = None) -> Flask:
             if user is not None:
                 g.current_user = user
 
-        if request.method in MUTATING_METHODS and request.path.startswith("/app/"):
+        if (
+            enforce_app_request_guards
+            and g.current_user is not None
+            and request.method in MUTATING_METHODS
+            and request.path.startswith("/app/")
+        ):
             if not is_same_origin_request():
                 abort(403)
             if not is_valid_csrf_for_request():