From 3ea3bc1d8e933bb7e80b5dd19fbba444e6cc4db2 Mon Sep 17 00:00:00 2001
From: Pierre Jaury <pierre@jaury.eu>
Date: Sat, 27 Aug 2016 14:57:51 +0200
Subject: [PATCH] Enforce permission checks for admin management

---
 admin/freeposte/admin/views/admins.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/admin/freeposte/admin/views/admins.py b/admin/freeposte/admin/views/admins.py
index 63272ac8..3e4cc3f7 100644
--- a/admin/freeposte/admin/views/admins.py
+++ b/admin/freeposte/admin/views/admins.py
@@ -10,6 +10,7 @@ import json
 @app.route('/admin/list', methods=['GET'])
 @flask_login.login_required
 def admin_list():
+    utils.require_global_admin()
     admins = models.User.query.filter_by(global_admin=True)
     return flask.render_template('admin/list.html', admins=admins)
 
@@ -17,6 +18,7 @@ def admin_list():
 @app.route('/admin/create', methods=['GET', 'POST'])
 @flask_login.login_required
 def admin_create():
+    utils.require_global_admin()
     form = forms.AdminForm()
     form.admin.choices = [
         (user.email, user.email)
@@ -39,6 +41,7 @@ def admin_create():
 @utils.confirmation_required("delete admin {admin}")
 @flask_login.login_required
 def admin_delete(admin):
+    utils.require_global_admin()
     user = models.User.query.get(admin)
     if user:
         user.global_admin  = False