changeset 107:1a047dcf791c

admin views: use abort(403) if not superuser, add some more superuser checks
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Sat, 12 Mar 2011 14:52:27 +0100
parents 5144c90c6bd8
children f789b04b44fd
files MoinMoin/apps/admin/views.py
diffstat 1 files changed, 12 insertions(+), 5 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/apps/admin/views.py	Sat Mar 12 14:41:33 2011 +0100
+++ b/MoinMoin/apps/admin/views.py	Sat Mar 12 14:52:27 2011 +0100
@@ -13,7 +13,7 @@
 """
 
 
-from flask import request, url_for, flash, redirect
+from flask import request, url_for, flash, redirect, abort
 from flask import current_app as app
 from flask import flaskg
 
@@ -34,7 +34,9 @@
     """
     User Account Browser
     """
-    # XXX add superuser check
+    if not flaskg.user or not flaskg.user.isSuperUser():
+        abort(403)
+
     groups = flaskg.groups
     user_accounts = []
     for uid in user.getUserList():
@@ -54,7 +56,9 @@
     """
     Set values in user profile
     """
-    # XXX add superuser check
+    if not flaskg.user or not flaskg.user.isSuperUser():
+        abort(403)
+
     uid = user.getUserId(user_name)
     u = user.User(uid)
     if request.method == 'GET':
@@ -96,6 +100,9 @@
 
 @admin.route('/sysitems_upgrade', methods=['GET', 'POST', ])
 def sysitems_upgrade():
+    if not flaskg.user or not flaskg.user.isSuperUser():
+        abort(403)
+
     from MoinMoin.storage.backends import upgrade_sysitems
     from MoinMoin.storage.error import BackendError
     if request.method == 'GET':
@@ -119,7 +126,7 @@
 @admin.route('/wikiconfig', methods=['GET', ])
 def wikiconfig():
     if not flaskg.user or not flaskg.user.isSuperUser():
-        return ''
+        abort(403)
 
     settings = {}
     for groupname in defaultconfig.options:
@@ -166,7 +173,7 @@
 @admin.route('/wikiconfighelp', methods=['GET', ])
 def wikiconfighelp():
     if not flaskg.user or not flaskg.user.isSuperUser():
-        return ''
+        abort(403)
 
     def format_default(default):
         if isinstance(default, defaultconfig.DefaultExpression):