fix(hub): System.HasUser - return true if SHARE_ALL_SYSTEMS=true (#1891)

- move hub's GetEnv function to new utils package to more easily share across different hub packages - change System.HasUser to take core.Record instead of user ID string - add tests
2026-04-13 00:11:49 +02:00 · 2026-04-08 19:56:37 -04:00
parent ea80f3c5a2
commit 0ae8c42ae0
9 changed files with 111 additions and 28 deletions
--- a/internal/hub/systems/system.go
+++ b/internal/hub/systems/system.go
@@ -15,6 +15,7 @@ import (

 	"github.com/henrygd/beszel/internal/common"
 	"github.com/henrygd/beszel/internal/hub/transport"
+	"github.com/henrygd/beszel/internal/hub/utils"
 	"github.com/henrygd/beszel/internal/hub/ws"

 	"github.com/henrygd/beszel/internal/entities/container"
@@ -353,14 +354,21 @@ func (sys *System) getRecord(app core.App) (*core.Record, error) {
 	return record, nil
 }

-// HasUser checks if the given user ID is in the system's users list.
-func (sys *System) HasUser(app core.App, userID string) bool {
+// HasUser checks if the given user is in the system's users list.
+// Returns true if SHARE_ALL_SYSTEMS is enabled (any authenticated user can access any system).
+func (sys *System) HasUser(app core.App, user *core.Record) bool {
+	if user == nil {
+		return false
+	}
+	if v, _ := utils.GetEnv("SHARE_ALL_SYSTEMS"); v == "true" {
+		return true
+	}
 	record, err := sys.getRecord(app)
 	if err != nil {
 		return false
 	}
 	users := record.GetStringSlice("users")
-	return slices.Contains(users, userID)
+	return slices.Contains(users, user.Id)
 }

 // setDown marks a system as down in the database.
--- a/internal/hub/systems/systems_test.go
+++ b/internal/hub/systems/systems_test.go
@@ -421,3 +421,51 @@ func testOld(t *testing.T, hub *tests.TestHub) {
 		assert.NoError(t, err)
 	})
 }
+
+func TestHasUser(t *testing.T) {
+	hub, err := tests.NewTestHub(t.TempDir())
+	require.NoError(t, err)
+	defer hub.Cleanup()
+
+	sm := hub.GetSystemManager()
+	err = sm.Initialize()
+	require.NoError(t, err)
+
+	user1, err := tests.CreateUser(hub, "user1@test.com", "password123")
+	require.NoError(t, err)
+	user2, err := tests.CreateUser(hub, "user2@test.com", "password123")
+	require.NoError(t, err)
+
+	record, err := tests.CreateRecord(hub, "systems", map[string]any{
+		"name":  "has-user-test",
+		"host":  "127.0.0.1",
+		"port":  "33914",
+		"users": []string{user1.Id},
+	})
+	require.NoError(t, err)
+
+	sys, err := sm.GetSystemFromStore(record.Id)
+	require.NoError(t, err)
+
+	t.Run("user in list returns true", func(t *testing.T) {
+		assert.True(t, sys.HasUser(hub, user1))
+	})
+
+	t.Run("user not in list returns false", func(t *testing.T) {
+		assert.False(t, sys.HasUser(hub, user2))
+	})
+
+	t.Run("unknown user ID returns false", func(t *testing.T) {
+		assert.False(t, sys.HasUser(hub, nil))
+	})
+
+	t.Run("SHARE_ALL_SYSTEMS=true grants access to non-member", func(t *testing.T) {
+		t.Setenv("SHARE_ALL_SYSTEMS", "true")
+		assert.True(t, sys.HasUser(hub, user2))
+	})
+
+	t.Run("BESZEL_HUB_SHARE_ALL_SYSTEMS=true grants access to non-member", func(t *testing.T) {
+		t.Setenv("BESZEL_HUB_SHARE_ALL_SYSTEMS", "true")
+		assert.True(t, sys.HasUser(hub, user2))
+	})
+}