From e40bc11f30eab2b710cd40ab644c086cc285f2cd Mon Sep 17 00:00:00 2001 From: Alban Date: Sun, 9 Dec 2012 21:30:37 +0100 Subject: [PATCH] Securing user and folder areas --- folder.py | 11 ++++++++++- user.py | 11 +++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/folder.py b/folder.py index 71d938f..699a37d 100755 --- a/folder.py +++ b/folder.py @@ -1,12 +1,21 @@ # coding: utf-8 -from flask import request, flash, render_template, redirect, url_for +from flask import request, flash, render_template, redirect, url_for, session as fl_sess import os.path import uuid from web import app from db import session, Folder, Artist from scanner import Scanner +from user_manager import UserManager + +@app.before_request +def check_admin(): + if not request.path.startswith('/folder'): + return + + if not UserManager.get(fl_sess.get('userid'))[1].admin: + return redirect(url_for('index')) @app.route('/folder') def folder_index(): diff --git a/user.py b/user.py index 96f642d..768af16 100755 --- a/user.py +++ b/user.py @@ -6,6 +6,17 @@ from web import app from user_manager import UserManager from db import User +@app.before_request +def check_admin(): + if not request.path.startswith('/user') or request.endpoint in ('login', 'logout'): + return + + if request.endpoint == 'add_user' and User.query.filter(User.admin == True).count() == 0: + return + + if request.endpoint in ('user_index', 'add_user', 'del_user') and not UserManager.get(session.get('userid'))[1].admin: + return redirect(url_for('index')) + @app.route('/user') def user_index(): return render_template('users.html', users = User.query.all())