From 3ea3bc1d8e933bb7e80b5dd19fbba444e6cc4db2 Mon Sep 17 00:00:00 2001 From: Pierre Jaury Date: Sat, 27 Aug 2016 14:57:51 +0200 Subject: [PATCH] Enforce permission checks for admin management --- admin/freeposte/admin/views/admins.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/admin/freeposte/admin/views/admins.py b/admin/freeposte/admin/views/admins.py index 63272ac8..3e4cc3f7 100644 --- a/admin/freeposte/admin/views/admins.py +++ b/admin/freeposte/admin/views/admins.py @@ -10,6 +10,7 @@ import json @app.route('/admin/list', methods=['GET']) @flask_login.login_required def admin_list(): + utils.require_global_admin() admins = models.User.query.filter_by(global_admin=True) return flask.render_template('admin/list.html', admins=admins) @@ -17,6 +18,7 @@ def admin_list(): @app.route('/admin/create', methods=['GET', 'POST']) @flask_login.login_required def admin_create(): + utils.require_global_admin() form = forms.AdminForm() form.admin.choices = [ (user.email, user.email) @@ -39,6 +41,7 @@ def admin_create(): @utils.confirmation_required("delete admin {admin}") @flask_login.login_required def admin_delete(admin): + utils.require_global_admin() user = models.User.query.get(admin) if user: user.global_admin = False