From c536db4e19c39db02ad7b8dcb9dabfcb495340c8 Mon Sep 17 00:00:00 2001
From: Jeff Ohrstrom <johrstrom@osc.edu>
Date: Tue, 19 Nov 2024 11:06:28 -0500
Subject: [PATCH] only respond to root owned files

---
 apps/dashboard/config/configuration_singleton.rb | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/apps/dashboard/config/configuration_singleton.rb b/apps/dashboard/config/configuration_singleton.rb
index 68ecff7324..174d4c5b43 100644
--- a/apps/dashboard/config/configuration_singleton.rb
+++ b/apps/dashboard/config/configuration_singleton.rb
@@ -435,7 +435,10 @@ def can_access_core_app?(name)
 
   def read_config
     files = Pathname.glob(config_directory.join("*.{yml,yaml,yml.erb,yaml.erb}"))
-    files.sort.each_with_object({}) do |f, conf|
+    files.sort.select do |f|
+      # only resond to root owned files in production.
+      rails_env == 'production' ? File.stat(f).uid.zero? : true
+    end.each_with_object({}) do |f, conf|
       begin
         content = ERB.new(f.read, trim_mode: "-").result(binding)
         yml = YAML.safe_load(content, aliases: true) || {}