prevent non-admins from accessing critical functions

forms.py

@@ -13,7 +13,6 @@ async def invite_user(request):
 	"""Allows an admin to invite a new user."""
 	if not request['session']['admin']:
 		return {'main': "You do not have permission to do that."}
-
 	data = await request.post()
 	email = data.get('email')
 
@@ -27,6 +26,8 @@ async def invite_user(request):
 
 async def change_user_perms(request):
 	"""Allows an admin to change user permissions."""
+	if not request['session']['admin']:
+		return {'main': "You do not have permission to do that."}
 	data = await request.post()
 	data = json.loads(data['perms'])
 
@@ -52,6 +53,8 @@ async def change_user_perms(request):
 
 async def new_app(request):
 	"""Allows an admin to add a new app to be managed by Buckler."""
+	if not request['session']['admin']:
+		return {'main': "You do not have permission to do that."}
 	data = await request.post()
 	app_name = data.get('app_name')
 	app_url = data.get('app_url')

static/buckler.js

@@ -15,7 +15,9 @@ function load() {
 			}
 		});
 	});
-	document.querySelector('#user_perm_form').addEventListener('submit', submit_user_perms);
+	if (user_perms) {
+		document.querySelector('#user_perm_form').addEventListener('submit', submit_user_perms);
+	}
 }
 
 function submit_user_perms(event) {

templates/index.html

@@ -4,7 +4,7 @@
 		<title>Buckler</title>
 		<link rel="stylesheet" type="text/css" href="/static/buckler.css">
 		<script>
-			var user_perms = {{ user_perms_json|safe }};
+			var user_perms = {% if request['session']['admin'] %}{{ user_perms_json|safe }}{% else %}null{% endif %};
 		</script>
 		<script type="text/javascript" src="/static/buckler.js"></script>
 		<script>window.onload = load;</script>