changeset 3520:fa0ee02c9c39

action.thread_monitor: added restrictions for superuser and actions_excluded
author Reimar Bauer <rb.proj AT googlemail DOT com>
date Sat, 26 Apr 2008 10:39:25 +0200
parents db35fff4d5ec
children c9f5e4f9a76e
files MoinMoin/action/thread_monitor.py
diffstat 1 files changed, 17 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/action/thread_monitor.py	Tue Apr 22 23:14:13 2008 +0200
+++ b/MoinMoin/action/thread_monitor.py	Sat Apr 26 10:39:25 2008 +0200
@@ -10,10 +10,18 @@
 import os, time
 from StringIO import StringIO
 
-from MoinMoin import wikiutil
+from MoinMoin import Page, wikiutil
 from MoinMoin.util import thread_monitor
 
 def execute_fs(pagename, request):
+    _ = request.getText
+    # be extra paranoid in dangerous actions
+    actname = __name__.split('.')[-1]
+    if actname in request.cfg.actions_excluded or \
+       not request.user.isSuperUser():
+        request.theme.add_msg(_('You are not allowed to use this action.'), "error")
+        return Page.Page(request, pagename).send_page()
+
     if thread_monitor.hook_enabled():
         s = StringIO()
         thread_monitor.trigger_dump(s)
@@ -31,6 +39,14 @@
     request.write('<html><body>A dump has been saved to %s.</body></html>' % dump_fname)
 
 def execute_wiki(pagename, request):
+    _ = request.getText
+    # be extra paranoid in dangerous actions
+    actname = __name__.split('.')[-1]
+    if actname in request.cfg.actions_excluded or \
+       not request.user.isSuperUser():
+        request.theme.add_msg(_('You are not allowed to use this action.'), "error")
+        return Page.Page(request, pagename).send_page()
+
     request.emit_http_headers()
 
     request.theme.send_title("Thread monitor")