Protect new 'root' views, only admin users allowed..

Heh whoops.

tailbone/views/auth.py

@@ -29,7 +29,7 @@ from __future__ import unicode_literals, absolute_import
 from rattail.db.auth import authenticate_user, set_user_password
 
 import formencode
-from pyramid.httpexceptions import HTTPFound
+from pyramid.httpexceptions import HTTPFound, HTTPForbidden
 from pyramid.security import remember, forget
 from pyramid_simpleform import Form
 from webhelpers.html import literal
@@ -107,8 +107,10 @@ def become_root(request):
     """
     Elevate the current request to 'root' for full system access.
     """
+    if not request.is_admin:
+        raise HTTPForbidden()
     request.session['is_root'] = True
-    request.session.flash("You have been elevated to 'root' and now have full system access", 'error')
+    request.session.flash("You have been elevated to 'root' and now have full system access")
     return HTTPFound(location=request.get_referrer())
 
 
@@ -116,6 +118,8 @@ def stop_root(request):
     """
     Lower the current request from 'root' back to normal access.
     """
+    if not request.is_admin:
+        raise HTTPForbidden()
     request.session['is_root'] = False
     request.session.flash("Your normal system access has been restored")
     return HTTPFound(location=request.get_referrer())