Enforce permission checks for admin management

8 years ago · 3ea3bc1d8e
parent ee6e9b2690
commit 3ea3bc1d8e
1 changed files with 3 additions and 0 deletions
--- a/admin/freeposte/admin/views/admins.py
+++ b/admin/freeposte/admin/views/admins.py
@ -10,6 +10,7 @@ import json
@app.route('/admin/list', methods=['GET'])
@flask_login.login_required
 def admin_list():
+    utils.require_global_admin()
    admins = models.User.query.filter_by(global_admin=True)
    return flask.render_template('admin/list.html', admins=admins)

@ -17,6 +18,7 @@ def admin_list():
@app.route('/admin/create', methods=['GET', 'POST'])
@flask_login.login_required
 def admin_create():
+    utils.require_global_admin()
    form = forms.AdminForm()
    form.admin.choices = [
        (user.email, user.email)
@ -39,6 +41,7 @@ def admin_create():
@utils.confirmation_required("delete admin {admin}")
@flask_login.login_required
 def admin_delete(admin):
+    utils.require_global_admin()
    user = models.User.query.get(admin)
    if user:
        user.global_admin  = False