prevent non-admins from accessing critical functions

This commit is contained in:
iou1name 2020-11-21 13:23:15 -05:00
parent bdaf3730c4
commit d5aa1bd4de

View File

@ -13,7 +13,6 @@ async def invite_user(request):
"""Allows an admin to invite a new user.""" """Allows an admin to invite a new user."""
if not request['session']['admin']: if not request['session']['admin']:
return {'main': "You do not have permission to do that."} return {'main': "You do not have permission to do that."}
data = await request.post() data = await request.post()
email = data.get('email') email = data.get('email')
@ -27,6 +26,8 @@ async def invite_user(request):
async def change_user_perms(request): async def change_user_perms(request):
"""Allows an admin to change user permissions.""" """Allows an admin to change user permissions."""
if not request['session']['admin']:
return {'main': "You do not have permission to do that."}
data = await request.post() data = await request.post()
data = json.loads(data['perms']) data = json.loads(data['perms'])
@ -52,6 +53,8 @@ async def change_user_perms(request):
async def new_app(request): async def new_app(request):
"""Allows an admin to add a new app to be managed by Buckler.""" """Allows an admin to add a new app to be managed by Buckler."""
if not request['session']['admin']:
return {'main': "You do not have permission to do that."}
data = await request.post() data = await request.post()
app_name = data.get('app_name') app_name = data.get('app_name')
app_url = data.get('app_url') app_url = data.get('app_url')