1
0
mirror of https://github.com/spl0k/supysonic.git synced 2024-12-23 01:16:18 +00:00

Securing user and folder areas

This commit is contained in:
Alban 2012-12-09 21:30:37 +01:00
parent db2694352e
commit e40bc11f30
2 changed files with 21 additions and 1 deletions

View File

@ -1,12 +1,21 @@
# coding: utf-8 # coding: utf-8
from flask import request, flash, render_template, redirect, url_for from flask import request, flash, render_template, redirect, url_for, session as fl_sess
import os.path import os.path
import uuid import uuid
from web import app from web import app
from db import session, Folder, Artist from db import session, Folder, Artist
from scanner import Scanner from scanner import Scanner
from user_manager import UserManager
@app.before_request
def check_admin():
if not request.path.startswith('/folder'):
return
if not UserManager.get(fl_sess.get('userid'))[1].admin:
return redirect(url_for('index'))
@app.route('/folder') @app.route('/folder')
def folder_index(): def folder_index():

11
user.py
View File

@ -6,6 +6,17 @@ from web import app
from user_manager import UserManager from user_manager import UserManager
from db import User from db import User
@app.before_request
def check_admin():
if not request.path.startswith('/user') or request.endpoint in ('login', 'logout'):
return
if request.endpoint == 'add_user' and User.query.filter(User.admin == True).count() == 0:
return
if request.endpoint in ('user_index', 'add_user', 'del_user') and not UserManager.get(session.get('userid'))[1].admin:
return redirect(url_for('index'))
@app.route('/user') @app.route('/user')
def user_index(): def user_index():
return render_template('users.html', users = User.query.all()) return render_template('users.html', users = User.query.all())