From d5aa1bd4deabf635a0259fec4675bf44b3b341fe Mon Sep 17 00:00:00 2001
From: iou1name <iou1name@national.shitposting.agency>
Date: Sat, 21 Nov 2020 13:23:15 -0500
Subject: [PATCH] prevent non-admins from accessing critical functions

---
 forms.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/forms.py b/forms.py
index 35d0339..d68f54c 100644
--- a/forms.py
+++ b/forms.py
@@ -13,7 +13,6 @@ async def invite_user(request):
 	"""Allows an admin to invite a new user."""
 	if not request['session']['admin']:
 		return {'main': "You do not have permission to do that."}
-
 	data = await request.post()
 	email = data.get('email')
 
@@ -27,6 +26,8 @@ async def invite_user(request):
 
 async def change_user_perms(request):
 	"""Allows an admin to change user permissions."""
+	if not request['session']['admin']:
+		return {'main': "You do not have permission to do that."}
 	data = await request.post()
 	data = json.loads(data['perms'])
 
@@ -52,6 +53,8 @@ async def change_user_perms(request):
 
 async def new_app(request):
 	"""Allows an admin to add a new app to be managed by Buckler."""
+	if not request['session']['admin']:
+		return {'main': "You do not have permission to do that."}
 	data = await request.post()
 	app_name = data.get('app_name')
 	app_url = data.get('app_url')