fix planner

pytorrent/services/auth.py

@@ -1,11 +1,8 @@
 from __future__ import annotations
-
 from functools import wraps
 from typing import Any
 import secrets
-
 from urllib.parse import urlparse
-
 from flask import abort, g, has_request_context, jsonify, redirect, request, session, url_for
 from werkzeug.security import check_password_hash, generate_password_hash
 
@@ -39,8 +36,6 @@ RTORRENT_WRITE_PREFIXES = (
 )
 RTORRENT_CONFIG_PREFIXES = ("/api/rtorrent-config",)
 ADMIN_PREFIXES = ("/api/auth/users", "/api/profiles")
-# Note: API reads that expose rTorrent/profile data must also respect profile permissions.
-# Note: Planner, poller and operation-log endpoints are profile-scoped and must follow the active profile context.
 PROFILE_READ_PREFIXES = (
     "/api/torrents",
     "/api/torrent-stats",
@@ -101,7 +96,6 @@ def _host_matches_bypass(host: str) -> bool:
 
 
 def auth_bypassed_request() -> bool:
-    # Note: Allows trusted direct-IP access to keep auth enabled for reverse-proxy traffic.
     if not enabled() or not AUTH_BYPASS_HOSTS or not has_request_context():
         return False
     return _host_matches_bypass(request.host)
@@ -115,7 +109,6 @@ def bypass_user_id() -> int:
         row = conn.execute("SELECT id FROM users WHERE username=? AND is_active=1", (username,)).fetchone()
         if row:
             return int(row["id"])
-        # Note: Keep direct-IP access usable after old installs, but never choose an inactive fallback.
         row = conn.execute("SELECT id FROM users WHERE username='admin' AND is_active=1").fetchone()
         if row:
             return int(row["id"])
@@ -126,7 +119,6 @@ def current_user_id() -> int:
     if not enabled():
         return default_user_id()
     if not has_request_context():
-        # Note: Background jobs and schedulers do not have Flask request/session state.
         return 0
     if auth_bypassed_request():
         return bypass_user_id()