Protect new 'root' views, only admin users allowed..

Heh whoops.
2016-10-18 19:17:23 -05:00 · 2016-10-18 19:17:23 -05:00 · 7932fffa1a
parent 2c27120eb4
commit 7932fffa1a
1 changed files with 6 additions and 2 deletions
--- a/tailbone/views/auth.py
+++ b/tailbone/views/auth.py
@ -29,7 +29,7 @@ from __future__ import unicode_literals, absolute_import
 from rattail.db.auth import authenticate_user, set_user_password
 import formencode
-from pyramid.httpexceptions import HTTPFound
+from pyramid.httpexceptions import HTTPFound, HTTPForbidden
 from pyramid.security import remember, forget
 from pyramid_simpleform import Form
 from webhelpers.html import literal
@ -107,8 +107,10 @@ def become_root(request):
    """
    Elevate the current request to 'root' for full system access.
    """
    if not request.is_admin:
        raise HTTPForbidden()
    request.session['is_root'] = True
-    request.session.flash("You have been elevated to 'root' and now have full system access", 'error')
+    request.session.flash("You have been elevated to 'root' and now have full system access")
    return HTTPFound(location=request.get_referrer())
@ -116,6 +118,8 @@ def stop_root(request):
    """
    Lower the current request from 'root' back to normal access.
    """
    if not request.is_admin:
        raise HTTPForbidden()
    request.session['is_root'] = False
    request.session.flash("Your normal system access has been restored")
    return HTTPFound(location=request.get_referrer())