Add user_is_protected() method to core View class

also, don't allow "protected" users to change their own password

tailbone/views/auth.py

@@ -172,6 +172,10 @@ class AuthenticationView(View):
         if not self.request.user:
             return self.redirect(self.request.route_url('home'))
 
+        if self.user_is_protected(self.request.user):
+            self.request.session.flash("Cannot change password for user: {}".format(self.request.user))
+            return self.redirect(self.request.get_referrer())
+
         use_buefy = self.get_use_buefy()
         schema = ChangePassword().bind(user=self.request.user)
         form = forms.Form(schema=schema, request=self.request, use_buefy=use_buefy)

tailbone/views/core.py

@@ -42,7 +42,7 @@ from tailbone.db import Session
 from tailbone.auth import logout_user
 from tailbone.progress import SessionProgress
 from tailbone.util import should_use_buefy
-from tailbone.config import legacy_mobile_enabled
+from tailbone.config import legacy_mobile_enabled, protected_usernames
 
 
 class View(object):
@@ -110,6 +110,20 @@ class View(object):
             if uuid:
                 return Session.query(model.User).get(uuid)
 
+    def user_is_protected(self, user):
+        """
+        This logic will consult the settings for a list of "protected"
+        usernames, which should require root privileges to edit.  If the given
+        ``user`` object is represented in this list, it is considered to be
+        protected and this method will return ``True``; otherwise it returns
+        ``False``.
+        """
+        if not hasattr(self, 'protected_usernames'):
+            self.protected_usernames = protected_usernames(self.rattail_config)
+        if self.protected_usernames and user.username in self.protected_usernames:
+            return True
+        return False
+
     def redirect(self, url, **kwargs):
         """
         Convenience method to return a HTTP 302 response.

tailbone/views/users.py

@@ -42,7 +42,6 @@ from tailbone import forms
 from tailbone.db import Session
 from tailbone.views import MasterView
 from tailbone.views.principal import PrincipalMasterView, PermissionsRenderer
-from tailbone.config import protected_usernames
 
 
 class UsersView(PrincipalMasterView):
@@ -154,23 +153,6 @@ class UsersView(PrincipalMasterView):
             return True
         return not self.user_is_protected(user)
 
-    def user_is_protected(self, user):
-        """
-        This logic will consult the settings, for a list of "protected"
-        usernames, which should require root privileges to edit.  If no setting
-        is found, or the given ``user`` is not represented in the setting, then
-        edit is allowed.
-
-        But if there is a setting, and the ``user`` is represented in it, then
-        this method will return ``True`` only if the "current" app user is
-        "root", otherwise will return ``False``.
-        """
-        if not hasattr(self, 'protected_usernames'):
-            self.protected_usernames = protected_usernames(self.rattail_config)
-        if self.protected_usernames and user.username in self.protected_usernames:
-            return True
-        return False
-
     def unique_username(self, node, value):
         query = self.Session.query(model.User)\
                             .filter(model.User.username == value)