rattail/tailbone
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Protect new 'root' views, only admin users allowed..

Browse source 
Heh whoops.
This commit is contained in:
Lance Edgar 2016-10-18 19:17:23 -05:00
parent 2c27120eb4
commit 7932fffa1a
1 changed files with 6 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
tailbone/views/auth.py
View file

@ -29,7 +29,7 @@ from __future__ import unicode_literals, absolute_import
from rattail.db.auth import authenticate_user, set_user_password
import formencode
from pyramid.httpexceptions import HTTPFound
from pyramid.httpexceptions import HTTPFound, HTTPForbidden
from pyramid.security import remember, forget
from pyramid_simpleform import Form
from webhelpers.html import literal
@ -107,8 +107,10 @@ def become_root(request):
"""
Elevate the current request to 'root' for full system access.
"""
if not request.is_admin:
raise HTTPForbidden()
request.session['is_root'] = True
request.session.flash("You have been elevated to 'root' and now have full system access", 'error')
request.session.flash("You have been elevated to 'root' and now have full system access")
return HTTPFound(location=request.get_referrer())
@ -116,6 +118,8 @@ def stop_root(request):
"""
Lower the current request from 'root' back to normal access.
"""
if not request.is_admin:
raise HTTPForbidden()
request.session['is_root'] = False
request.session.flash("Your normal system access has been restored")
return HTTPFound(location=request.get_referrer())