From e40bc11f30eab2b710cd40ab644c086cc285f2cd Mon Sep 17 00:00:00 2001
From: Alban <alban.feron@gmail.com>
Date: Sun, 9 Dec 2012 21:30:37 +0100
Subject: [PATCH] Securing user and folder areas

---
 folder.py | 11 ++++++++++-
 user.py   | 11 +++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/folder.py b/folder.py
index 71d938f..699a37d 100755
--- a/folder.py
+++ b/folder.py
@@ -1,12 +1,21 @@
 # coding: utf-8
 
-from flask import request, flash, render_template, redirect, url_for
+from flask import request, flash, render_template, redirect, url_for, session as fl_sess
 import os.path
 import uuid
 
 from web import app
 from db import session, Folder, Artist
 from scanner import Scanner
+from user_manager import UserManager
+
+@app.before_request
+def check_admin():
+	if not request.path.startswith('/folder'):
+		return
+
+	if not UserManager.get(fl_sess.get('userid'))[1].admin:
+		return redirect(url_for('index'))
 
 @app.route('/folder')
 def folder_index():
diff --git a/user.py b/user.py
index 96f642d..768af16 100755
--- a/user.py
+++ b/user.py
@@ -6,6 +6,17 @@ from web import app
 from user_manager import UserManager
 from db import User
 
+@app.before_request
+def check_admin():
+	if not request.path.startswith('/user') or request.endpoint in ('login', 'logout'):
+		return
+
+	if request.endpoint == 'add_user' and User.query.filter(User.admin == True).count() == 0:
+		return
+
+	if request.endpoint in ('user_index', 'add_user', 'del_user') and not UserManager.get(session.get('userid'))[1].admin:
+		return redirect(url_for('index'))
+
 @app.route('/user')
 def user_index():
 	return render_template('users.html', users = User.query.all())