fix(hub): System.HasUser - return true if SHARE_ALL_SYSTEMS=true (#1891 )

- move hub's GetEnv function to new utils package to more easily share across different hub packages - change System.HasUser to take core.Record instead of user ID string - add tests
fix(agent): add safety check for read returning negative bytes (#1799 )
2026-04-09 15:08:06 +00:00 · 2026-04-08 20:13:39 -04:00 · 2026-04-07 18:41:22 -04:00 · 2026-04-07 16:08:28 -04:00 · 2026-04-07 14:47:08 -04:00
16 changed files with 720 additions and 444 deletions
--- a/agent/gpu_amd_linux.go
+++ b/agent/gpu_amd_linux.go
@@ -156,6 +156,7 @@ func (gm *GPUManager) updateAmdGpuData(cardPath string) bool {
 func readSysfsFloat(path string) (float64, error) {
 	val, err := utils.ReadStringFileLimited(path, 64)
 	if err != nil {
+		slog.Debug("Failed to read sysfs value", "path", path, "error", err)
 		return 0, err
 	}
 	return strconv.ParseFloat(val, 64)
--- a/agent/utils/utils.go
+++ b/agent/utils/utils.go
@@ -1,6 +1,8 @@
+// Package utils provides utility functions for the agent.
 package utils

 import (
+	"fmt"
 	"io"
 	"math"
 	"os"
@@ -68,6 +70,9 @@ func ReadStringFileLimited(path string, maxSize int) (string, error) {
 	if err != nil && err != io.EOF {
 		return "", err
 	}
+	if n < 0 {
+		return "", fmt.Errorf("%s returned negative bytes: %d", path, n)
+	}
 	return strings.TrimSpace(string(buf[:n])), nil
 }

--- a/internal/alerts/alerts.go
+++ b/internal/alerts/alerts.go
@@ -302,21 +302,6 @@ func (am *AlertManager) SendShoutrrrAlert(notificationUrl, title, message, link,
 	return nil
 }

-func (am *AlertManager) SendTestNotification(e *core.RequestEvent) error {
-	var data struct {
-		URL string `json:"url"`
-	}
-	err := e.BindBody(&data)
-	if err != nil || data.URL == "" {
-		return e.BadRequestError("URL is required", err)
-	}
-	err = am.SendShoutrrrAlert(data.URL, "Test Alert", "This is a notification from Beszel.", am.hub.Settings().Meta.AppURL, "View Beszel")
-	if err != nil {
-		return e.JSON(200, map[string]string{"err": err.Error()})
-	}
-	return e.JSON(200, map[string]bool{"err": false})
-}
-
 // setAlertTriggered updates the "triggered" status of an alert record in the database
 func (am *AlertManager) setAlertTriggered(alert CachedAlertData, triggered bool) error {
 	alertRecord, err := am.hub.FindRecordById("alerts", alert.Id)
--- a/internal/alerts/alerts_api.go
+++ b/internal/alerts/alerts_api.go
@@ -3,7 +3,11 @@ package alerts
 import (
 	"database/sql"
 	"errors"
+	"net"
 	"net/http"
+	"net/url"
+	"slices"
+	"strings"

 	"github.com/pocketbase/dbx"
 	"github.com/pocketbase/pocketbase/core"
@@ -117,3 +121,72 @@ func DeleteUserAlerts(e *core.RequestEvent) error {

 	return e.JSON(http.StatusOK, map[string]any{"success": true, "count": numDeleted})
 }
+
+// SendTestNotification handles API request to send a test notification to a specified Shoutrrr URL
+func (am *AlertManager) SendTestNotification(e *core.RequestEvent) error {
+	var data struct {
+		URL string `json:"url"`
+	}
+	err := e.BindBody(&data)
+	if err != nil || data.URL == "" {
+		return e.BadRequestError("URL is required", err)
+	}
+	// Only allow admins to send test notifications to internal URLs
+	if !e.Auth.IsSuperuser() && e.Auth.GetString("role") != "admin" {
+		internalURL, err := isInternalURL(data.URL)
+		if err != nil {
+			return e.BadRequestError(err.Error(), nil)
+		}
+		if internalURL {
+			return e.ForbiddenError("Only admins can send to internal destinations", nil)
+		}
+	}
+	err = am.SendShoutrrrAlert(data.URL, "Test Alert", "This is a notification from Beszel.", am.hub.Settings().Meta.AppURL, "View Beszel")
+	if err != nil {
+		return e.JSON(200, map[string]string{"err": err.Error()})
+	}
+	return e.JSON(200, map[string]bool{"err": false})
+}
+
+// isInternalURL checks if the given shoutrrr URL points to an internal destination (localhost or private IP)
+func isInternalURL(rawURL string) (bool, error) {
+	parsedURL, err := url.Parse(rawURL)
+	if err != nil {
+		return false, err
+	}
+
+	host := parsedURL.Hostname()
+	if host == "" {
+		return false, nil
+	}
+
+	if strings.EqualFold(host, "localhost") {
+		return true, nil
+	}
+
+	if ip := net.ParseIP(host); ip != nil {
+		return isInternalIP(ip), nil
+	}
+
+	// Some Shoutrrr URLs use the host position for service identifiers rather than a
+	// network hostname (for example, discord://token@webhookid). Restrict DNS lookups
+	// to names that look like actual hostnames so valid service URLs keep working.
+	if !strings.Contains(host, ".") {
+		return false, nil
+	}
+
+	ips, err := net.LookupIP(host)
+	if err != nil {
+		return false, nil
+	}
+
+	if slices.ContainsFunc(ips, isInternalIP) {
+		return true, nil
+	}
+
+	return false, nil
+}
+
+func isInternalIP(ip net.IP) bool {
+	return ip.IsPrivate() || ip.IsLoopback() || ip.IsUnspecified()
+}
--- a/internal/alerts/alerts_api_test.go
+++ b/internal/alerts/alerts_api_test.go
@@ -0,0 +1,501 @@
+//go:build testing
+
+package alerts_test
+
+import (
+	"bytes"
+	"encoding/json"
+	"io"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/henrygd/beszel/internal/alerts"
+	beszelTests "github.com/henrygd/beszel/internal/tests"
+	pbTests "github.com/pocketbase/pocketbase/tests"
+
+	"github.com/pocketbase/dbx"
+	"github.com/pocketbase/pocketbase/core"
+
+	"github.com/stretchr/testify/assert"
+)
+
+// marshal to json and return an io.Reader (for use in ApiScenario.Body)
+func jsonReader(v any) io.Reader {
+	data, err := json.Marshal(v)
+	if err != nil {
+		panic(err)
+	}
+	return bytes.NewReader(data)
+}
+
+func TestIsInternalURL(t *testing.T) {
+	testCases := []struct {
+		name     string
+		url      string
+		internal bool
+	}{
+		{name: "loopback ipv4", url: "generic://127.0.0.1", internal: true},
+		{name: "localhost hostname", url: "generic://localhost", internal: true},
+		{name: "localhost hostname", url: "generic+http://localhost/api/v1/postStuff", internal: true},
+		{name: "localhost hostname", url: "generic+http://127.0.0.1:8080/api/v1/postStuff", internal: true},
+		{name: "localhost hostname", url: "generic+https://beszel.dev/api/v1/postStuff", internal: false},
+		{name: "public ipv4", url: "generic://8.8.8.8", internal: false},
+		{name: "token style service url", url: "discord://abc123@123456789", internal: false},
+		{name: "single label service url", url: "slack://token@team/channel", internal: false},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			internal, err := alerts.IsInternalURL(testCase.url)
+			assert.NoError(t, err)
+			assert.Equal(t, testCase.internal, internal)
+		})
+	}
+}
+
+func TestUserAlertsApi(t *testing.T) {
+	hub, _ := beszelTests.NewTestHub(t.TempDir())
+	defer hub.Cleanup()
+
+	hub.StartHub()
+
+	user1, _ := beszelTests.CreateUser(hub, "alertstest@example.com", "password")
+	user1Token, _ := user1.NewAuthToken()
+
+	user2, _ := beszelTests.CreateUser(hub, "alertstest2@example.com", "password")
+	user2Token, _ := user2.NewAuthToken()
+
+	system1, _ := beszelTests.CreateRecord(hub, "systems", map[string]any{
+		"name":  "system1",
+		"users": []string{user1.Id},
+		"host":  "127.0.0.1",
+	})
+
+	system2, _ := beszelTests.CreateRecord(hub, "systems", map[string]any{
+		"name":  "system2",
+		"users": []string{user1.Id, user2.Id},
+		"host":  "127.0.0.2",
+	})
+
+	userRecords, _ := hub.CountRecords("users")
+	assert.EqualValues(t, 2, userRecords, "all users should be created")
+
+	systemRecords, _ := hub.CountRecords("systems")
+	assert.EqualValues(t, 2, systemRecords, "all systems should be created")
+
+	testAppFactory := func(t testing.TB) *pbTests.TestApp {
+		return hub.TestApp
+	}
+
+	scenarios := []beszelTests.ApiScenario{
+		// {
+		// 	Name:            "GET not implemented - returns index",
+		// 	Method:          http.MethodGet,
+		// 	URL:             "/api/beszel/user-alerts",
+		// 	ExpectedStatus:  200,
+		// 	ExpectedContent: []string{"<html ", "globalThis.BESZEL"},
+		// 	TestAppFactory:  testAppFactory,
+		// },
+		{
+			Name:            "POST no auth",
+			Method:          http.MethodPost,
+			URL:             "/api/beszel/user-alerts",
+			ExpectedStatus:  401,
+			ExpectedContent: []string{"requires valid"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "POST no body",
+			Method: http.MethodPost,
+			URL:    "/api/beszel/user-alerts",
+			Headers: map[string]string{
+				"Authorization": user1Token,
+			},
+			ExpectedStatus:  400,
+			ExpectedContent: []string{"Bad data"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "POST bad data",
+			Method: http.MethodPost,
+			URL:    "/api/beszel/user-alerts",
+			Headers: map[string]string{
+				"Authorization": user1Token,
+			},
+			ExpectedStatus:  400,
+			ExpectedContent: []string{"Bad data"},
+			TestAppFactory:  testAppFactory,
+			Body: jsonReader(map[string]any{
+				"invalidField": "this should cause validation error",
+				"threshold":    "not a number",
+			}),
+		},
+		{
+			Name:   "POST malformed JSON",
+			Method: http.MethodPost,
+			URL:    "/api/beszel/user-alerts",
+			Headers: map[string]string{
+				"Authorization": user1Token,
+			},
+			ExpectedStatus:  400,
+			ExpectedContent: []string{"Bad data"},
+			TestAppFactory:  testAppFactory,
+			Body:            strings.NewReader(`{"alertType": "cpu", "threshold": 80, "enabled": true,}`),
+		},
+		{
+			Name:   "POST valid alert data multiple systems",
+			Method: http.MethodPost,
+			URL:    "/api/beszel/user-alerts",
+			Headers: map[string]string{
+				"Authorization": user1Token,
+			},
+			ExpectedStatus:  200,
+			ExpectedContent: []string{"\"success\":true"},
+			TestAppFactory:  testAppFactory,
+			Body: jsonReader(map[string]any{
+				"name":      "CPU",
+				"value":     69,
+				"min":       9,
+				"systems":   []string{system1.Id, system2.Id},
+				"overwrite": false,
+			}),
+			AfterTestFunc: func(t testing.TB, app *pbTests.TestApp, res *http.Response) {
+				// check total alerts
+				alerts, _ := app.CountRecords("alerts")
+				assert.EqualValues(t, 2, alerts, "should have 2 alerts")
+				// check alert has correct values
+				matchingAlerts, _ := app.CountRecords("alerts", dbx.HashExp{"name": "CPU", "user": user1.Id, "system": system1.Id, "value": 69, "min": 9})
+				assert.EqualValues(t, 1, matchingAlerts, "should have 1 alert")
+			},
+		},
+		{
+			Name:   "POST valid alert data single system",
+			Method: http.MethodPost,
+			URL:    "/api/beszel/user-alerts",
+			Headers: map[string]string{
+				"Authorization": user1Token,
+			},
+			ExpectedStatus:  200,
+			ExpectedContent: []string{"\"success\":true"},
+			TestAppFactory:  testAppFactory,
+			Body: jsonReader(map[string]any{
+				"name":    "Memory",
+				"systems": []string{system1.Id},
+				"value":   90,
+				"min":     10,
+			}),
+			AfterTestFunc: func(t testing.TB, app *pbTests.TestApp, res *http.Response) {
+				user1Alerts, _ := app.CountRecords("alerts", dbx.HashExp{"user": user1.Id})
+				assert.EqualValues(t, 3, user1Alerts, "should have 3 alerts")
+			},
+		},
+		{
+			Name:   "Overwrite: false, should not overwrite existing alert",
+			Method: http.MethodPost,
+			URL:    "/api/beszel/user-alerts",
+			Headers: map[string]string{
+				"Authorization": user1Token,
+			},
+			ExpectedStatus:  200,
+			ExpectedContent: []string{"\"success\":true"},
+			TestAppFactory:  testAppFactory,
+			Body: jsonReader(map[string]any{
+				"name":      "CPU",
+				"value":     45,
+				"min":       5,
+				"systems":   []string{system1.Id},
+				"overwrite": false,
+			}),
+			BeforeTestFunc: func(t testing.TB, app *pbTests.TestApp, e *core.ServeEvent) {
+				beszelTests.ClearCollection(t, app, "alerts")
+				beszelTests.CreateRecord(app, "alerts", map[string]any{
+					"name":   "CPU",
+					"system": system1.Id,
+					"user":   user1.Id,
+					"value":  80,
+					"min":    10,
+				})
+			},
+			AfterTestFunc: func(t testing.TB, app *pbTests.TestApp, res *http.Response) {
+				alerts, _ := app.CountRecords("alerts")
+				assert.EqualValues(t, 1, alerts, "should have 1 alert")
+				alert, _ := app.FindFirstRecordByFilter("alerts", "name = 'CPU' && user = {:user}", dbx.Params{"user": user1.Id})
+				assert.EqualValues(t, 80, alert.Get("value"), "should have 80 as value")
+			},
+		},
+		{
+			Name:   "Overwrite: true, should overwrite existing alert",
+			Method: http.MethodPost,
+			URL:    "/api/beszel/user-alerts",
+			Headers: map[string]string{
+				"Authorization": user2Token,
+			},
+			ExpectedStatus:  200,
+			ExpectedContent: []string{"\"success\":true"},
+			TestAppFactory:  testAppFactory,
+			Body: jsonReader(map[string]any{
+				"name":      "CPU",
+				"value":     45,
+				"min":       5,
+				"systems":   []string{system2.Id},
+				"overwrite": true,
+			}),
+			BeforeTestFunc: func(t testing.TB, app *pbTests.TestApp, e *core.ServeEvent) {
+				beszelTests.ClearCollection(t, app, "alerts")
+				beszelTests.CreateRecord(app, "alerts", map[string]any{
+					"name":   "CPU",
+					"system": system2.Id,
+					"user":   user2.Id,
+					"value":  80,
+					"min":    10,
+				})
+			},
+			AfterTestFunc: func(t testing.TB, app *pbTests.TestApp, res *http.Response) {
+				alerts, _ := app.CountRecords("alerts")
+				assert.EqualValues(t, 1, alerts, "should have 1 alert")
+				alert, _ := app.FindFirstRecordByFilter("alerts", "name = 'CPU' && user = {:user}", dbx.Params{"user": user2.Id})
+				assert.EqualValues(t, 45, alert.Get("value"), "should have 45 as value")
+			},
+		},
+		{
+			Name:            "DELETE no auth",
+			Method:          http.MethodDelete,
+			URL:             "/api/beszel/user-alerts",
+			ExpectedStatus:  401,
+			ExpectedContent: []string{"requires valid"},
+			TestAppFactory:  testAppFactory,
+			Body: jsonReader(map[string]any{
+				"name":    "CPU",
+				"systems": []string{system1.Id},
+			}),
+			BeforeTestFunc: func(t testing.TB, app *pbTests.TestApp, e *core.ServeEvent) {
+				beszelTests.ClearCollection(t, app, "alerts")
+				beszelTests.CreateRecord(app, "alerts", map[string]any{
+					"name":   "CPU",
+					"system": system1.Id,
+					"user":   user1.Id,
+					"value":  80,
+					"min":    10,
+				})
+			},
+			AfterTestFunc: func(t testing.TB, app *pbTests.TestApp, res *http.Response) {
+				alerts, _ := app.CountRecords("alerts")
+				assert.EqualValues(t, 1, alerts, "should have 1 alert")
+			},
+		},
+		{
+			Name:   "DELETE alert",
+			Method: http.MethodDelete,
+			URL:    "/api/beszel/user-alerts",
+			Headers: map[string]string{
+				"Authorization": user1Token,
+			},
+			ExpectedStatus:  200,
+			ExpectedContent: []string{"\"count\":1", "\"success\":true"},
+			TestAppFactory:  testAppFactory,
+			Body: jsonReader(map[string]any{
+				"name":    "CPU",
+				"systems": []string{system1.Id},
+			}),
+			BeforeTestFunc: func(t testing.TB, app *pbTests.TestApp, e *core.ServeEvent) {
+				beszelTests.ClearCollection(t, app, "alerts")
+				beszelTests.CreateRecord(app, "alerts", map[string]any{
+					"name":   "CPU",
+					"system": system1.Id,
+					"user":   user1.Id,
+					"value":  80,
+					"min":    10,
+				})
+			},
+			AfterTestFunc: func(t testing.TB, app *pbTests.TestApp, res *http.Response) {
+				alerts, _ := app.CountRecords("alerts")
+				assert.Zero(t, alerts, "should have 0 alerts")
+			},
+		},
+		{
+			Name:   "DELETE alert multiple systems",
+			Method: http.MethodDelete,
+			URL:    "/api/beszel/user-alerts",
+			Headers: map[string]string{
+				"Authorization": user1Token,
+			},
+			ExpectedStatus:  200,
+			ExpectedContent: []string{"\"count\":2", "\"success\":true"},
+			TestAppFactory:  testAppFactory,
+			Body: jsonReader(map[string]any{
+				"name":    "Memory",
+				"systems": []string{system1.Id, system2.Id},
+			}),
+			BeforeTestFunc: func(t testing.TB, app *pbTests.TestApp, e *core.ServeEvent) {
+				beszelTests.ClearCollection(t, app, "alerts")
+				for _, systemId := range []string{system1.Id, system2.Id} {
+					_, err := beszelTests.CreateRecord(app, "alerts", map[string]any{
+						"name":   "Memory",
+						"system": systemId,
+						"user":   user1.Id,
+						"value":  90,
+						"min":    10,
+					})
+					assert.NoError(t, err, "should create alert")
+				}
+				alerts, _ := app.CountRecords("alerts")
+				assert.EqualValues(t, 2, alerts, "should have 2 alerts")
+			},
+			AfterTestFunc: func(t testing.TB, app *pbTests.TestApp, res *http.Response) {
+				alerts, _ := app.CountRecords("alerts")
+				assert.Zero(t, alerts, "should have 0 alerts")
+			},
+		},
+		{
+			Name:   "User 2 should not be able to delete alert of user 1",
+			Method: http.MethodDelete,
+			URL:    "/api/beszel/user-alerts",
+			Headers: map[string]string{
+				"Authorization": user2Token,
+			},
+			ExpectedStatus:  200,
+			ExpectedContent: []string{"\"count\":1", "\"success\":true"},
+			TestAppFactory:  testAppFactory,
+			Body: jsonReader(map[string]any{
+				"name":    "CPU",
+				"systems": []string{system2.Id},
+			}),
+			BeforeTestFunc: func(t testing.TB, app *pbTests.TestApp, e *core.ServeEvent) {
+				beszelTests.ClearCollection(t, app, "alerts")
+				for _, user := range []string{user1.Id, user2.Id} {
+					beszelTests.CreateRecord(app, "alerts", map[string]any{
+						"name":   "CPU",
+						"system": system2.Id,
+						"user":   user,
+						"value":  80,
+						"min":    10,
+					})
+				}
+				alerts, _ := app.CountRecords("alerts")
+				assert.EqualValues(t, 2, alerts, "should have 2 alerts")
+				user1AlertCount, _ := app.CountRecords("alerts", dbx.HashExp{"user": user1.Id})
+				assert.EqualValues(t, 1, user1AlertCount, "should have 1 alert")
+				user2AlertCount, _ := app.CountRecords("alerts", dbx.HashExp{"user": user2.Id})
+				assert.EqualValues(t, 1, user2AlertCount, "should have 1 alert")
+			},
+			AfterTestFunc: func(t testing.TB, app *pbTests.TestApp, res *http.Response) {
+				user1AlertCount, _ := app.CountRecords("alerts", dbx.HashExp{"user": user1.Id})
+				assert.EqualValues(t, 1, user1AlertCount, "should have 1 alert")
+				user2AlertCount, _ := app.CountRecords("alerts", dbx.HashExp{"user": user2.Id})
+				assert.Zero(t, user2AlertCount, "should have 0 alerts")
+			},
+		},
+	}
+
+	for _, scenario := range scenarios {
+		scenario.Test(t)
+	}
+}
+func TestSendTestNotification(t *testing.T) {
+	hub, user := beszelTests.GetHubWithUser(t)
+	defer hub.Cleanup()
+
+	userToken, err := user.NewAuthToken()
+
+	adminUser, err := beszelTests.CreateUserWithRole(hub, "admin@example.com", "password123", "admin")
+	assert.NoError(t, err, "Failed to create admin user")
+	adminUserToken, err := adminUser.NewAuthToken()
+
+	superuser, err := beszelTests.CreateSuperuser(hub, "superuser@example.com", "password123")
+	assert.NoError(t, err, "Failed to create superuser")
+	superuserToken, err := superuser.NewAuthToken()
+	assert.NoError(t, err, "Failed to create superuser auth token")
+
+	testAppFactory := func(t testing.TB) *pbTests.TestApp {
+		return hub.TestApp
+	}
+
+	scenarios := []beszelTests.ApiScenario{
+		{
+			Name:            "POST /test-notification - no auth should fail",
+			Method:          http.MethodPost,
+			URL:             "/api/beszel/test-notification",
+			ExpectedStatus:  401,
+			ExpectedContent: []string{"requires valid"},
+			TestAppFactory:  testAppFactory,
+			Body: jsonReader(map[string]any{
+				"url": "generic://127.0.0.1",
+			}),
+		},
+		{
+			Name:           "POST /test-notification - with external auth should succeed",
+			Method:         http.MethodPost,
+			URL:            "/api/beszel/test-notification",
+			TestAppFactory: testAppFactory,
+			Headers: map[string]string{
+				"Authorization": userToken,
+			},
+			Body: jsonReader(map[string]any{
+				"url": "generic://8.8.8.8",
+			}),
+			ExpectedStatus:  200,
+			ExpectedContent: []string{"\"err\":"},
+		},
+		{
+			Name:           "POST /test-notification - local url with user auth should fail",
+			Method:         http.MethodPost,
+			URL:            "/api/beszel/test-notification",
+			TestAppFactory: testAppFactory,
+			Headers: map[string]string{
+				"Authorization": userToken,
+			},
+			Body: jsonReader(map[string]any{
+				"url": "generic://localhost:8010",
+			}),
+			ExpectedStatus:  403,
+			ExpectedContent: []string{"Only admins"},
+		},
+		{
+			Name:           "POST /test-notification - internal url with user auth should fail",
+			Method:         http.MethodPost,
+			URL:            "/api/beszel/test-notification",
+			TestAppFactory: testAppFactory,
+			Headers: map[string]string{
+				"Authorization": userToken,
+			},
+			Body: jsonReader(map[string]any{
+				"url": "generic+http://192.168.0.5",
+			}),
+			ExpectedStatus:  403,
+			ExpectedContent: []string{"Only admins"},
+		},
+		{
+			Name:           "POST /test-notification - internal url with admin auth should succeed",
+			Method:         http.MethodPost,
+			URL:            "/api/beszel/test-notification",
+			TestAppFactory: testAppFactory,
+			Headers: map[string]string{
+				"Authorization": adminUserToken,
+			},
+			Body: jsonReader(map[string]any{
+				"url": "generic://127.0.0.1",
+			}),
+			ExpectedStatus:  200,
+			ExpectedContent: []string{"\"err\":"},
+		},
+		{
+			Name:           "POST /test-notification - internal url with superuser auth should succeed",
+			Method:         http.MethodPost,
+			URL:            "/api/beszel/test-notification",
+			TestAppFactory: testAppFactory,
+			Headers: map[string]string{
+				"Authorization": superuserToken,
+			},
+			Body: jsonReader(map[string]any{
+				"url": "generic://127.0.0.1",
+			}),
+			ExpectedStatus:  200,
+			ExpectedContent: []string{"\"err\":"},
+		},
+	}
+
+	for _, scenario := range scenarios {
+		scenario.Test(t)
+	}
+}
--- a/internal/alerts/alerts_test.go
+++ b/internal/alerts/alerts_test.go
@@ -3,11 +3,6 @@
 package alerts_test

 import (
-	"bytes"
-	"encoding/json"
-	"io"
-	"net/http"
-	"strings"
 	"testing"
 	"testing/synctest"
 	"time"
@@ -16,359 +11,9 @@ import (

 	"github.com/henrygd/beszel/internal/alerts"
 	"github.com/pocketbase/dbx"
-	"github.com/pocketbase/pocketbase/core"
-	pbTests "github.com/pocketbase/pocketbase/tests"
 	"github.com/stretchr/testify/assert"
 )

-// marshal to json and return an io.Reader (for use in ApiScenario.Body)
-func jsonReader(v any) io.Reader {
-	data, err := json.Marshal(v)
-	if err != nil {
-		panic(err)
-	}
-	return bytes.NewReader(data)
-}
-
-func TestUserAlertsApi(t *testing.T) {
-	hub, _ := beszelTests.NewTestHub(t.TempDir())
-	defer hub.Cleanup()
-
-	hub.StartHub()
-
-	user1, _ := beszelTests.CreateUser(hub, "alertstest@example.com", "password")
-	user1Token, _ := user1.NewAuthToken()
-
-	user2, _ := beszelTests.CreateUser(hub, "alertstest2@example.com", "password")
-	user2Token, _ := user2.NewAuthToken()
-
-	system1, _ := beszelTests.CreateRecord(hub, "systems", map[string]any{
-		"name":  "system1",
-		"users": []string{user1.Id},
-		"host":  "127.0.0.1",
-	})
-
-	system2, _ := beszelTests.CreateRecord(hub, "systems", map[string]any{
-		"name":  "system2",
-		"users": []string{user1.Id, user2.Id},
-		"host":  "127.0.0.2",
-	})
-
-	userRecords, _ := hub.CountRecords("users")
-	assert.EqualValues(t, 2, userRecords, "all users should be created")
-
-	systemRecords, _ := hub.CountRecords("systems")
-	assert.EqualValues(t, 2, systemRecords, "all systems should be created")
-
-	testAppFactory := func(t testing.TB) *pbTests.TestApp {
-		return hub.TestApp
-	}
-
-	scenarios := []beszelTests.ApiScenario{
-		// {
-		// 	Name:            "GET not implemented - returns index",
-		// 	Method:          http.MethodGet,
-		// 	URL:             "/api/beszel/user-alerts",
-		// 	ExpectedStatus:  200,
-		// 	ExpectedContent: []string{"<html ", "globalThis.BESZEL"},
-		// 	TestAppFactory:  testAppFactory,
-		// },
-		{
-			Name:            "POST no auth",
-			Method:          http.MethodPost,
-			URL:             "/api/beszel/user-alerts",
-			ExpectedStatus:  401,
-			ExpectedContent: []string{"requires valid"},
-			TestAppFactory:  testAppFactory,
-		},
-		{
-			Name:   "POST no body",
-			Method: http.MethodPost,
-			URL:    "/api/beszel/user-alerts",
-			Headers: map[string]string{
-				"Authorization": user1Token,
-			},
-			ExpectedStatus:  400,
-			ExpectedContent: []string{"Bad data"},
-			TestAppFactory:  testAppFactory,
-		},
-		{
-			Name:   "POST bad data",
-			Method: http.MethodPost,
-			URL:    "/api/beszel/user-alerts",
-			Headers: map[string]string{
-				"Authorization": user1Token,
-			},
-			ExpectedStatus:  400,
-			ExpectedContent: []string{"Bad data"},
-			TestAppFactory:  testAppFactory,
-			Body: jsonReader(map[string]any{
-				"invalidField": "this should cause validation error",
-				"threshold":    "not a number",
-			}),
-		},
-		{
-			Name:   "POST malformed JSON",
-			Method: http.MethodPost,
-			URL:    "/api/beszel/user-alerts",
-			Headers: map[string]string{
-				"Authorization": user1Token,
-			},
-			ExpectedStatus:  400,
-			ExpectedContent: []string{"Bad data"},
-			TestAppFactory:  testAppFactory,
-			Body:            strings.NewReader(`{"alertType": "cpu", "threshold": 80, "enabled": true,}`),
-		},
-		{
-			Name:   "POST valid alert data multiple systems",
-			Method: http.MethodPost,
-			URL:    "/api/beszel/user-alerts",
-			Headers: map[string]string{
-				"Authorization": user1Token,
-			},
-			ExpectedStatus:  200,
-			ExpectedContent: []string{"\"success\":true"},
-			TestAppFactory:  testAppFactory,
-			Body: jsonReader(map[string]any{
-				"name":      "CPU",
-				"value":     69,
-				"min":       9,
-				"systems":   []string{system1.Id, system2.Id},
-				"overwrite": false,
-			}),
-			AfterTestFunc: func(t testing.TB, app *pbTests.TestApp, res *http.Response) {
-				// check total alerts
-				alerts, _ := app.CountRecords("alerts")
-				assert.EqualValues(t, 2, alerts, "should have 2 alerts")
-				// check alert has correct values
-				matchingAlerts, _ := app.CountRecords("alerts", dbx.HashExp{"name": "CPU", "user": user1.Id, "system": system1.Id, "value": 69, "min": 9})
-				assert.EqualValues(t, 1, matchingAlerts, "should have 1 alert")
-			},
-		},
-		{
-			Name:   "POST valid alert data single system",
-			Method: http.MethodPost,
-			URL:    "/api/beszel/user-alerts",
-			Headers: map[string]string{
-				"Authorization": user1Token,
-			},
-			ExpectedStatus:  200,
-			ExpectedContent: []string{"\"success\":true"},
-			TestAppFactory:  testAppFactory,
-			Body: jsonReader(map[string]any{
-				"name":    "Memory",
-				"systems": []string{system1.Id},
-				"value":   90,
-				"min":     10,
-			}),
-			AfterTestFunc: func(t testing.TB, app *pbTests.TestApp, res *http.Response) {
-				user1Alerts, _ := app.CountRecords("alerts", dbx.HashExp{"user": user1.Id})
-				assert.EqualValues(t, 3, user1Alerts, "should have 3 alerts")
-			},
-		},
-		{
-			Name:   "Overwrite: false, should not overwrite existing alert",
-			Method: http.MethodPost,
-			URL:    "/api/beszel/user-alerts",
-			Headers: map[string]string{
-				"Authorization": user1Token,
-			},
-			ExpectedStatus:  200,
-			ExpectedContent: []string{"\"success\":true"},
-			TestAppFactory:  testAppFactory,
-			Body: jsonReader(map[string]any{
-				"name":      "CPU",
-				"value":     45,
-				"min":       5,
-				"systems":   []string{system1.Id},
-				"overwrite": false,
-			}),
-			BeforeTestFunc: func(t testing.TB, app *pbTests.TestApp, e *core.ServeEvent) {
-				beszelTests.ClearCollection(t, app, "alerts")
-				beszelTests.CreateRecord(app, "alerts", map[string]any{
-					"name":   "CPU",
-					"system": system1.Id,
-					"user":   user1.Id,
-					"value":  80,
-					"min":    10,
-				})
-			},
-			AfterTestFunc: func(t testing.TB, app *pbTests.TestApp, res *http.Response) {
-				alerts, _ := app.CountRecords("alerts")
-				assert.EqualValues(t, 1, alerts, "should have 1 alert")
-				alert, _ := app.FindFirstRecordByFilter("alerts", "name = 'CPU' && user = {:user}", dbx.Params{"user": user1.Id})
-				assert.EqualValues(t, 80, alert.Get("value"), "should have 80 as value")
-			},
-		},
-		{
-			Name:   "Overwrite: true, should overwrite existing alert",
-			Method: http.MethodPost,
-			URL:    "/api/beszel/user-alerts",
-			Headers: map[string]string{
-				"Authorization": user2Token,
-			},
-			ExpectedStatus:  200,
-			ExpectedContent: []string{"\"success\":true"},
-			TestAppFactory:  testAppFactory,
-			Body: jsonReader(map[string]any{
-				"name":      "CPU",
-				"value":     45,
-				"min":       5,
-				"systems":   []string{system2.Id},
-				"overwrite": true,
-			}),
-			BeforeTestFunc: func(t testing.TB, app *pbTests.TestApp, e *core.ServeEvent) {
-				beszelTests.ClearCollection(t, app, "alerts")
-				beszelTests.CreateRecord(app, "alerts", map[string]any{
-					"name":   "CPU",
-					"system": system2.Id,
-					"user":   user2.Id,
-					"value":  80,
-					"min":    10,
-				})
-			},
-			AfterTestFunc: func(t testing.TB, app *pbTests.TestApp, res *http.Response) {
-				alerts, _ := app.CountRecords("alerts")
-				assert.EqualValues(t, 1, alerts, "should have 1 alert")
-				alert, _ := app.FindFirstRecordByFilter("alerts", "name = 'CPU' && user = {:user}", dbx.Params{"user": user2.Id})
-				assert.EqualValues(t, 45, alert.Get("value"), "should have 45 as value")
-			},
-		},
-		{
-			Name:            "DELETE no auth",
-			Method:          http.MethodDelete,
-			URL:             "/api/beszel/user-alerts",
-			ExpectedStatus:  401,
-			ExpectedContent: []string{"requires valid"},
-			TestAppFactory:  testAppFactory,
-			Body: jsonReader(map[string]any{
-				"name":    "CPU",
-				"systems": []string{system1.Id},
-			}),
-			BeforeTestFunc: func(t testing.TB, app *pbTests.TestApp, e *core.ServeEvent) {
-				beszelTests.ClearCollection(t, app, "alerts")
-				beszelTests.CreateRecord(app, "alerts", map[string]any{
-					"name":   "CPU",
-					"system": system1.Id,
-					"user":   user1.Id,
-					"value":  80,
-					"min":    10,
-				})
-			},
-			AfterTestFunc: func(t testing.TB, app *pbTests.TestApp, res *http.Response) {
-				alerts, _ := app.CountRecords("alerts")
-				assert.EqualValues(t, 1, alerts, "should have 1 alert")
-			},
-		},
-		{
-			Name:   "DELETE alert",
-			Method: http.MethodDelete,
-			URL:    "/api/beszel/user-alerts",
-			Headers: map[string]string{
-				"Authorization": user1Token,
-			},
-			ExpectedStatus:  200,
-			ExpectedContent: []string{"\"count\":1", "\"success\":true"},
-			TestAppFactory:  testAppFactory,
-			Body: jsonReader(map[string]any{
-				"name":    "CPU",
-				"systems": []string{system1.Id},
-			}),
-			BeforeTestFunc: func(t testing.TB, app *pbTests.TestApp, e *core.ServeEvent) {
-				beszelTests.ClearCollection(t, app, "alerts")
-				beszelTests.CreateRecord(app, "alerts", map[string]any{
-					"name":   "CPU",
-					"system": system1.Id,
-					"user":   user1.Id,
-					"value":  80,
-					"min":    10,
-				})
-			},
-			AfterTestFunc: func(t testing.TB, app *pbTests.TestApp, res *http.Response) {
-				alerts, _ := app.CountRecords("alerts")
-				assert.Zero(t, alerts, "should have 0 alerts")
-			},
-		},
-		{
-			Name:   "DELETE alert multiple systems",
-			Method: http.MethodDelete,
-			URL:    "/api/beszel/user-alerts",
-			Headers: map[string]string{
-				"Authorization": user1Token,
-			},
-			ExpectedStatus:  200,
-			ExpectedContent: []string{"\"count\":2", "\"success\":true"},
-			TestAppFactory:  testAppFactory,
-			Body: jsonReader(map[string]any{
-				"name":    "Memory",
-				"systems": []string{system1.Id, system2.Id},
-			}),
-			BeforeTestFunc: func(t testing.TB, app *pbTests.TestApp, e *core.ServeEvent) {
-				beszelTests.ClearCollection(t, app, "alerts")
-				for _, systemId := range []string{system1.Id, system2.Id} {
-					_, err := beszelTests.CreateRecord(app, "alerts", map[string]any{
-						"name":   "Memory",
-						"system": systemId,
-						"user":   user1.Id,
-						"value":  90,
-						"min":    10,
-					})
-					assert.NoError(t, err, "should create alert")
-				}
-				alerts, _ := app.CountRecords("alerts")
-				assert.EqualValues(t, 2, alerts, "should have 2 alerts")
-			},
-			AfterTestFunc: func(t testing.TB, app *pbTests.TestApp, res *http.Response) {
-				alerts, _ := app.CountRecords("alerts")
-				assert.Zero(t, alerts, "should have 0 alerts")
-			},
-		},
-		{
-			Name:   "User 2 should not be able to delete alert of user 1",
-			Method: http.MethodDelete,
-			URL:    "/api/beszel/user-alerts",
-			Headers: map[string]string{
-				"Authorization": user2Token,
-			},
-			ExpectedStatus:  200,
-			ExpectedContent: []string{"\"count\":1", "\"success\":true"},
-			TestAppFactory:  testAppFactory,
-			Body: jsonReader(map[string]any{
-				"name":    "CPU",
-				"systems": []string{system2.Id},
-			}),
-			BeforeTestFunc: func(t testing.TB, app *pbTests.TestApp, e *core.ServeEvent) {
-				beszelTests.ClearCollection(t, app, "alerts")
-				for _, user := range []string{user1.Id, user2.Id} {
-					beszelTests.CreateRecord(app, "alerts", map[string]any{
-						"name":   "CPU",
-						"system": system2.Id,
-						"user":   user,
-						"value":  80,
-						"min":    10,
-					})
-				}
-				alerts, _ := app.CountRecords("alerts")
-				assert.EqualValues(t, 2, alerts, "should have 2 alerts")
-				user1AlertCount, _ := app.CountRecords("alerts", dbx.HashExp{"user": user1.Id})
-				assert.EqualValues(t, 1, user1AlertCount, "should have 1 alert")
-				user2AlertCount, _ := app.CountRecords("alerts", dbx.HashExp{"user": user2.Id})
-				assert.EqualValues(t, 1, user2AlertCount, "should have 1 alert")
-			},
-			AfterTestFunc: func(t testing.TB, app *pbTests.TestApp, res *http.Response) {
-				user1AlertCount, _ := app.CountRecords("alerts", dbx.HashExp{"user": user1.Id})
-				assert.EqualValues(t, 1, user1AlertCount, "should have 1 alert")
-				user2AlertCount, _ := app.CountRecords("alerts", dbx.HashExp{"user": user2.Id})
-				assert.Zero(t, user2AlertCount, "should have 0 alerts")
-			},
-		},
-	}
-
-	for _, scenario := range scenarios {
-		scenario.Test(t)
-	}
-}
-
 func TestAlertsHistory(t *testing.T) {
 	synctest.Test(t, func(t *testing.T) {
 		hub, user := beszelTests.GetHubWithUser(t)
--- a/internal/alerts/alerts_test_helpers.go
+++ b/internal/alerts/alerts_test_helpers.go
@@ -95,3 +95,7 @@ func (am *AlertManager) RestorePendingStatusAlerts() error {
 func (am *AlertManager) SetAlertTriggered(alert CachedAlertData, triggered bool) error {
 	return am.setAlertTriggered(alert, triggered)
 }
+
+func IsInternalURL(rawURL string) (bool, error) {
+	return isInternalURL(rawURL)
+}
--- a/internal/hub/api.go
+++ b/internal/hub/api.go
@@ -14,6 +14,7 @@ import (
 	"github.com/henrygd/beszel/internal/ghupdate"
 	"github.com/henrygd/beszel/internal/hub/config"
 	"github.com/henrygd/beszel/internal/hub/systems"
+	"github.com/henrygd/beszel/internal/hub/utils"
 	"github.com/pocketbase/dbx"
 	"github.com/pocketbase/pocketbase/apis"
 	"github.com/pocketbase/pocketbase/core"
@@ -70,13 +71,13 @@ func (h *Hub) registerMiddlewares(se *core.ServeEvent) {
 		return e.Next()
 	}
 	// authenticate with trusted header
-	if autoLogin, _ := GetEnv("AUTO_LOGIN"); autoLogin != "" {
+	if autoLogin, _ := utils.GetEnv("AUTO_LOGIN"); autoLogin != "" {
 		se.Router.BindFunc(func(e *core.RequestEvent) error {
 			return authorizeRequestWithEmail(e, autoLogin)
 		})
 	}
 	// authenticate with trusted header
-	if trustedHeader, _ := GetEnv("TRUSTED_AUTH_HEADER"); trustedHeader != "" {
+	if trustedHeader, _ := utils.GetEnv("TRUSTED_AUTH_HEADER"); trustedHeader != "" {
 		se.Router.BindFunc(func(e *core.RequestEvent) error {
 			return authorizeRequestWithEmail(e, e.Request.Header.Get(trustedHeader))
 		})
@@ -104,7 +105,7 @@ func (h *Hub) registerApiRoutes(se *core.ServeEvent) error {
 	apiAuth.GET("/info", h.getInfo)
 	apiAuth.GET("/getkey", h.getInfo) // deprecated - keep for compatibility w/ integrations
 	// check for updates
-	if optIn, _ := GetEnv("CHECK_UPDATES"); optIn == "true" {
+	if optIn, _ := utils.GetEnv("CHECK_UPDATES"); optIn == "true" {
 		var updateInfo UpdateInfo
 		apiAuth.GET("/update", updateInfo.getUpdate)
 	}
@@ -127,7 +128,7 @@ func (h *Hub) registerApiRoutes(se *core.ServeEvent) error {
 	// get systemd service details
 	apiAuth.GET("/systemd/info", h.getSystemdInfo)
 	// /containers routes
-	if enabled, _ := GetEnv("CONTAINER_DETAILS"); enabled != "false" {
+	if enabled, _ := utils.GetEnv("CONTAINER_DETAILS"); enabled != "false" {
 		// get container logs
 		apiAuth.GET("/containers/logs", h.getContainerLogs)
 		// get container info
@@ -147,7 +148,7 @@ func (h *Hub) getInfo(e *core.RequestEvent) error {
 		Key:     h.pubKey,
 		Version: beszel.Version,
 	}
-	if optIn, _ := GetEnv("CHECK_UPDATES"); optIn == "true" {
+	if optIn, _ := utils.GetEnv("CHECK_UPDATES"); optIn == "true" {
 		info.CheckUpdate = true
 	}
 	return e.JSON(http.StatusOK, info)
@@ -315,7 +316,7 @@ func (h *Hub) containerRequestHandler(e *core.RequestEvent, fetchFunc func(*syst
 	}

 	system, err := h.sm.GetSystem(systemID)
-	if err != nil || !system.HasUser(e.App, e.Auth.Id) {
+	if err != nil || !system.HasUser(e.App, e.Auth) {
 		return e.NotFoundError("", nil)
 	}

@@ -350,7 +351,7 @@ func (h *Hub) getSystemdInfo(e *core.RequestEvent) error {
 		return e.BadRequestError("Invalid system or service parameter", nil)
 	}
 	system, err := h.sm.GetSystem(systemID)
-	if err != nil || !system.HasUser(e.App, e.Auth.Id) {
+	if err != nil || !system.HasUser(e.App, e.Auth) {
 		return e.NotFoundError("", nil)
 	}
 	// verify service exists before fetching details
@@ -378,7 +379,7 @@ func (h *Hub) refreshSmartData(e *core.RequestEvent) error {
 	}

 	system, err := h.sm.GetSystem(systemID)
-	if err != nil || !system.HasUser(e.App, e.Auth.Id) {
+	if err != nil || !system.HasUser(e.App, e.Auth) {
 		return e.NotFoundError("", nil)
 	}

--- a/internal/hub/api_test.go
+++ b/internal/hub/api_test.go
@@ -66,31 +66,6 @@ func TestApiRoutesAuthentication(t *testing.T) {

 	scenarios := []beszelTests.ApiScenario{
 		// Auth Protected Routes - Should require authentication
-		{
-			Name:            "POST /test-notification - no auth should fail",
-			Method:          http.MethodPost,
-			URL:             "/api/beszel/test-notification",
-			ExpectedStatus:  401,
-			ExpectedContent: []string{"requires valid"},
-			TestAppFactory:  testAppFactory,
-			Body: jsonReader(map[string]any{
-				"url": "generic://127.0.0.1",
-			}),
-		},
-		{
-			Name:           "POST /test-notification - with auth should succeed",
-			Method:         http.MethodPost,
-			URL:            "/api/beszel/test-notification",
-			TestAppFactory: testAppFactory,
-			Headers: map[string]string{
-				"Authorization": userToken,
-			},
-			Body: jsonReader(map[string]any{
-				"url": "generic://127.0.0.1",
-			}),
-			ExpectedStatus:  200,
-			ExpectedContent: []string{"sending message"},
-		},
 		{
 			Name:            "GET /config-yaml - no auth should fail",
 			Method:          http.MethodGet,
@@ -369,6 +344,23 @@ func TestApiRoutesAuthentication(t *testing.T) {
 				"Authorization": user2Token,
 			},
 		},
+		{
+			Name:            "GET /containers/info - SHARE_ALL_SYSTEMS allows non-member user",
+			Method:          http.MethodGet,
+			URL:             fmt.Sprintf("/api/beszel/containers/info?system=%s&container=abababababab", system.Id),
+			ExpectedStatus:  500,
+			ExpectedContent: []string{"Something went wrong while processing your request."},
+			TestAppFactory:  testAppFactory,
+			Headers: map[string]string{
+				"Authorization": user2Token,
+			},
+			BeforeTestFunc: func(t testing.TB, app *pbTests.TestApp, e *core.ServeEvent) {
+				t.Setenv("SHARE_ALL_SYSTEMS", "true")
+			},
+			AfterTestFunc: func(t testing.TB, app *pbTests.TestApp, res *http.Response) {
+				t.Setenv("SHARE_ALL_SYSTEMS", "")
+			},
+		},
 		{
 			Name:   "GET /containers/logs - with auth but missing system param should fail",
 			Method: http.MethodGet,
--- a/internal/hub/collections.go
+++ b/internal/hub/collections.go
@@ -1,6 +1,9 @@
 package hub

-import "github.com/pocketbase/pocketbase/core"
+import (
+	"github.com/henrygd/beszel/internal/hub/utils"
+	"github.com/pocketbase/pocketbase/core"
+)

 type collectionRules struct {
 	list   *string
@@ -22,11 +25,11 @@ func setCollectionAuthSettings(app core.App) error {
 	}

 	// disable email auth if DISABLE_PASSWORD_AUTH env var is set
-	disablePasswordAuth, _ := GetEnv("DISABLE_PASSWORD_AUTH")
+	disablePasswordAuth, _ := utils.GetEnv("DISABLE_PASSWORD_AUTH")
 	usersCollection.PasswordAuth.Enabled = disablePasswordAuth != "true"
 	usersCollection.PasswordAuth.IdentityFields = []string{"email"}
 	// allow oauth user creation if USER_CREATION is set
-	if userCreation, _ := GetEnv("USER_CREATION"); userCreation == "true" {
+	if userCreation, _ := utils.GetEnv("USER_CREATION"); userCreation == "true" {
 		cr := "@request.context = 'oauth2'"
 		usersCollection.CreateRule = &cr
 	} else {
@@ -34,7 +37,7 @@ func setCollectionAuthSettings(app core.App) error {
 	}

 	// enable mfaOtp mfa if MFA_OTP env var is set
-	mfaOtp, _ := GetEnv("MFA_OTP")
+	mfaOtp, _ := utils.GetEnv("MFA_OTP")
 	usersCollection.OTP.Length = 6
 	superusersCollection.OTP.Length = 6
 	usersCollection.OTP.Enabled = mfaOtp == "true"
@@ -50,7 +53,7 @@ func setCollectionAuthSettings(app core.App) error {

 	// When SHARE_ALL_SYSTEMS is enabled, any authenticated user can read
 	// system-scoped data. Write rules continue to block readonly users.
-	shareAllSystems, _ := GetEnv("SHARE_ALL_SYSTEMS")
+	shareAllSystems, _ := utils.GetEnv("SHARE_ALL_SYSTEMS")

 	authenticatedRule := "@request.auth.id != \"\""
 	systemsMemberRule := authenticatedRule + " && users.id ?= @request.auth.id"
--- a/internal/hub/hub.go
+++ b/internal/hub/hub.go
@@ -15,6 +15,7 @@ import (
 	"github.com/henrygd/beszel/internal/hub/config"
 	"github.com/henrygd/beszel/internal/hub/heartbeat"
 	"github.com/henrygd/beszel/internal/hub/systems"
+	"github.com/henrygd/beszel/internal/hub/utils"
 	"github.com/henrygd/beszel/internal/records"
 	"github.com/henrygd/beszel/internal/users"

@@ -44,7 +45,7 @@ func NewHub(app core.App) *Hub {
 	hub.um = users.NewUserManager(hub)
 	hub.rm = records.NewRecordManager(hub)
 	hub.sm = systems.NewSystemManager(hub)
-	hub.hb = heartbeat.New(app, GetEnv)
+	hub.hb = heartbeat.New(app, utils.GetEnv)
 	if hub.hb != nil {
 		hub.hbStop = make(chan struct{})
 	}
@@ -52,15 +53,6 @@ func NewHub(app core.App) *Hub {
 	return hub
 }

-// GetEnv retrieves an environment variable with a "BESZEL_HUB_" prefix, or falls back to the unprefixed key.
-func GetEnv(key string) (value string, exists bool) {
-	if value, exists = os.LookupEnv("BESZEL_HUB_" + key); exists {
-		return value, exists
-	}
-	// Fallback to the old unprefixed key
-	return os.LookupEnv(key)
-}
-
 // onAfterBootstrapAndMigrations ensures the provided function runs after the database is set up and migrations are applied.
 // This is a workaround for behavior in PocketBase where onBootstrap runs before migrations, forcing use of onServe for this purpose.
 // However, PB's tests.TestApp is already bootstrapped, generally doesn't serve, but does handle migrations.
@@ -131,7 +123,7 @@ func (h *Hub) initialize(app core.App) error {
 	// batch requests (for alerts)
 	settings.Batch.Enabled = true
 	// set URL if APP_URL env is set
-	if appURL, isSet := GetEnv("APP_URL"); isSet {
+	if appURL, isSet := utils.GetEnv("APP_URL"); isSet {
 		h.appURL = appURL
 		settings.Meta.AppURL = appURL
 	}
--- a/internal/hub/server_production.go
+++ b/internal/hub/server_production.go
@@ -9,6 +9,7 @@ import (
 	"strings"

 	"github.com/henrygd/beszel"
+	"github.com/henrygd/beszel/internal/hub/utils"
 	"github.com/henrygd/beszel/internal/site"

 	"github.com/pocketbase/pocketbase/apis"
@@ -32,7 +33,7 @@ func (h *Hub) startServer(se *core.ServeEvent) error {
 	staticPaths := [2]string{"/static/", "/assets/"}
 	serveStatic := apis.Static(site.DistDirFS, false)
 	// get CSP configuration
-	csp, cspExists := GetEnv("CSP")
+	csp, cspExists := utils.GetEnv("CSP")
 	// add route
 	se.Router.GET("/{path...}", func(e *core.RequestEvent) error {
 		// serve static assets if path is in staticPaths
--- a/internal/hub/systems/system.go
+++ b/internal/hub/systems/system.go
@@ -15,6 +15,7 @@ import (

 	"github.com/henrygd/beszel/internal/common"
 	"github.com/henrygd/beszel/internal/hub/transport"
+	"github.com/henrygd/beszel/internal/hub/utils"
 	"github.com/henrygd/beszel/internal/hub/ws"

 	"github.com/henrygd/beszel/internal/entities/container"
@@ -353,14 +354,21 @@ func (sys *System) getRecord(app core.App) (*core.Record, error) {
 	return record, nil
 }

-// HasUser checks if the given user ID is in the system's users list.
-func (sys *System) HasUser(app core.App, userID string) bool {
+// HasUser checks if the given user is in the system's users list.
+// Returns true if SHARE_ALL_SYSTEMS is enabled (any authenticated user can access any system).
+func (sys *System) HasUser(app core.App, user *core.Record) bool {
+	if user == nil {
+		return false
+	}
+	if v, _ := utils.GetEnv("SHARE_ALL_SYSTEMS"); v == "true" {
+		return true
+	}
 	record, err := sys.getRecord(app)
 	if err != nil {
 		return false
 	}
 	users := record.GetStringSlice("users")
-	return slices.Contains(users, userID)
+	return slices.Contains(users, user.Id)
 }

 // setDown marks a system as down in the database.
--- a/internal/hub/systems/systems_test.go
+++ b/internal/hub/systems/systems_test.go
@@ -421,3 +421,51 @@ func testOld(t *testing.T, hub *tests.TestHub) {
 		assert.NoError(t, err)
 	})
 }
+
+func TestHasUser(t *testing.T) {
+	hub, err := tests.NewTestHub(t.TempDir())
+	require.NoError(t, err)
+	defer hub.Cleanup()
+
+	sm := hub.GetSystemManager()
+	err = sm.Initialize()
+	require.NoError(t, err)
+
+	user1, err := tests.CreateUser(hub, "user1@test.com", "password123")
+	require.NoError(t, err)
+	user2, err := tests.CreateUser(hub, "user2@test.com", "password123")
+	require.NoError(t, err)
+
+	record, err := tests.CreateRecord(hub, "systems", map[string]any{
+		"name":  "has-user-test",
+		"host":  "127.0.0.1",
+		"port":  "33914",
+		"users": []string{user1.Id},
+	})
+	require.NoError(t, err)
+
+	sys, err := sm.GetSystemFromStore(record.Id)
+	require.NoError(t, err)
+
+	t.Run("user in list returns true", func(t *testing.T) {
+		assert.True(t, sys.HasUser(hub, user1))
+	})
+
+	t.Run("user not in list returns false", func(t *testing.T) {
+		assert.False(t, sys.HasUser(hub, user2))
+	})
+
+	t.Run("unknown user ID returns false", func(t *testing.T) {
+		assert.False(t, sys.HasUser(hub, nil))
+	})
+
+	t.Run("SHARE_ALL_SYSTEMS=true grants access to non-member", func(t *testing.T) {
+		t.Setenv("SHARE_ALL_SYSTEMS", "true")
+		assert.True(t, sys.HasUser(hub, user2))
+	})
+
+	t.Run("BESZEL_HUB_SHARE_ALL_SYSTEMS=true grants access to non-member", func(t *testing.T) {
+		t.Setenv("BESZEL_HUB_SHARE_ALL_SYSTEMS", "true")
+		assert.True(t, sys.HasUser(hub, user2))
+	})
+}
--- a/internal/hub/utils/utils.go
+++ b/internal/hub/utils/utils.go
@@ -0,0 +1,12 @@
+// Package utils provides utility functions for the hub.
+package utils
+
+import "os"
+
+// GetEnv retrieves an environment variable with a "BESZEL_HUB_" prefix, or falls back to the unprefixed key.
+func GetEnv(key string) (value string, exists bool) {
+	if value, exists = os.LookupEnv("BESZEL_HUB_" + key); exists {
+		return value, exists
+	}
+	return os.LookupEnv(key)
+}
--- a/internal/site/src/components/routes/settings/notifications.tsx
+++ b/internal/site/src/components/routes/settings/notifications.tsx
@@ -15,6 +15,7 @@ import { isAdmin, pb } from "@/lib/api"
 import type { UserSettings } from "@/types"
 import { saveSettings } from "./layout"
 import { QuietHours } from "./quiet-hours"
+import type { ClientResponseError } from "pocketbase"

 interface ShoutrrrUrlCardProps {
 	url: string
@@ -59,10 +60,10 @@ const SettingsNotificationsPage = ({ userSettings }: { userSettings: UserSetting
 		try {
 			const parsedData = v.parse(NotificationSchema, { emails, webhooks })
 			await saveSettings(parsedData)
-		} catch (e: any) {
+		} catch (e: unknown) {
 			toast({
 				title: t`Failed to save settings`,
-				description: e.message,
+				description: (e as Error).message,
 				variant: "destructive",
 			})
 		}
@@ -136,12 +137,7 @@ const SettingsNotificationsPage = ({ userSettings }: { userSettings: UserSetting
 								</Trans>
 							</p>
 						</div>
-						<Button
-							type="button"
-							variant="outline"
-							className="h-10 shrink-0"
-							onClick={addWebhook}
-						>
+						<Button type="button" variant="outline" className="h-10 shrink-0" onClick={addWebhook}>
 							<PlusIcon className="size-4" />
 							<span className="ms-1">
 								<Trans>Add URL</Trans>
@@ -180,25 +176,34 @@ const SettingsNotificationsPage = ({ userSettings }: { userSettings: UserSetting
 	)
 }

+function showTestNotificationError(msg: string) {
+	toast({
+		title: t`Error`,
+		description: msg ?? t`Failed to send test notification`,
+		variant: "destructive",
+	})
+}
+
 const ShoutrrrUrlCard = ({ url, onUrlChange, onRemove }: ShoutrrrUrlCardProps) => {
 	const [isLoading, setIsLoading] = useState(false)

 	const sendTestNotification = async () => {
 		setIsLoading(true)
-		const res = await pb.send("/api/beszel/test-notification", { method: "POST", body: { url } })
-		if ("err" in res && !res.err) {
-			toast({
-				title: t`Test notification sent`,
-				description: t`Check your notification service`,
-			})
-		} else {
-			toast({
-				title: t`Error`,
-				description: res.err ?? t`Failed to send test notification`,
-				variant: "destructive",
-			})
+		try {
+			const res = await pb.send("/api/beszel/test-notification", { method: "POST", body: { url } })
+			if ("err" in res && !res.err) {
+				toast({
+					title: t`Test notification sent`,
+					description: t`Check your notification service`,
+				})
+			} else {
+				showTestNotificationError(res.err)
+			}
+		} catch (e: unknown) {
+			showTestNotificationError((e as ClientResponseError).data?.message)
+		} finally {
+			setIsLoading(false)
 		}
-		setIsLoading(false)
 	}

 	return (
Author	SHA1	Message	Date
henrygd	0ae8c42ae0	fix(hub): `System.HasUser` - return true if `SHARE_ALL_SYSTEMS=true` (#1891 ) - move hub's GetEnv function to new utils package to more easily share across different hub packages - change System.HasUser to take core.Record instead of user ID string - add tests	2026-04-08 20:13:39 -04:00
henrygd	ea80f3c5a2	fix(agent): add safety check for read returning negative bytes (#1799 )	2026-04-07 18:41:22 -04:00
henrygd	c3dffff5e4	hub: prevent non-admin users from sending test alerts to internal hosts	2026-04-07 16:08:28 -04:00
henrygd	06fdd0e7a8	refactor(hub,alerts): move api functions/tests to alerts_api.go	2026-04-07 14:47:08 -04:00