Compare commits

...

2 Commits

Author SHA1 Message Date
d5aa1bd4de prevent non-admins from accessing critical functions 2020-11-21 13:23:15 -05:00
bdaf3730c4 bugfix non-admin errors 2020-11-20 21:13:35 -05:00
3 changed files with 8 additions and 3 deletions

View File

@ -13,7 +13,6 @@ async def invite_user(request):
"""Allows an admin to invite a new user.""" """Allows an admin to invite a new user."""
if not request['session']['admin']: if not request['session']['admin']:
return {'main': "You do not have permission to do that."} return {'main': "You do not have permission to do that."}
data = await request.post() data = await request.post()
email = data.get('email') email = data.get('email')
@ -27,6 +26,8 @@ async def invite_user(request):
async def change_user_perms(request): async def change_user_perms(request):
"""Allows an admin to change user permissions.""" """Allows an admin to change user permissions."""
if not request['session']['admin']:
return {'main': "You do not have permission to do that."}
data = await request.post() data = await request.post()
data = json.loads(data['perms']) data = json.loads(data['perms'])
@ -52,6 +53,8 @@ async def change_user_perms(request):
async def new_app(request): async def new_app(request):
"""Allows an admin to add a new app to be managed by Buckler.""" """Allows an admin to add a new app to be managed by Buckler."""
if not request['session']['admin']:
return {'main': "You do not have permission to do that."}
data = await request.post() data = await request.post()
app_name = data.get('app_name') app_name = data.get('app_name')
app_url = data.get('app_url') app_url = data.get('app_url')

View File

@ -15,7 +15,9 @@ function load() {
} }
}); });
}); });
if (user_perms) {
document.querySelector('#user_perm_form').addEventListener('submit', submit_user_perms); document.querySelector('#user_perm_form').addEventListener('submit', submit_user_perms);
}
} }
function submit_user_perms(event) { function submit_user_perms(event) {

View File

@ -4,7 +4,7 @@
<title>Buckler</title> <title>Buckler</title>
<link rel="stylesheet" type="text/css" href="/static/buckler.css"> <link rel="stylesheet" type="text/css" href="/static/buckler.css">
<script> <script>
var user_perms = {{ user_perms_json|safe }}; var user_perms = {% if request['session']['admin'] %}{{ user_perms_json|safe }}{% else %}null{% endif %};
</script> </script>
<script type="text/javascript" src="/static/buckler.js"></script> <script type="text/javascript" src="/static/buckler.js"></script>
<script>window.onload = load;</script> <script>window.onload = load;</script>