mirror of
https://github.com/spl0k/supysonic.git
synced 2024-12-23 01:16:18 +00:00
Securing user and folder areas
This commit is contained in:
parent
db2694352e
commit
e40bc11f30
11
folder.py
11
folder.py
@ -1,12 +1,21 @@
|
|||||||
# coding: utf-8
|
# coding: utf-8
|
||||||
|
|
||||||
from flask import request, flash, render_template, redirect, url_for
|
from flask import request, flash, render_template, redirect, url_for, session as fl_sess
|
||||||
import os.path
|
import os.path
|
||||||
import uuid
|
import uuid
|
||||||
|
|
||||||
from web import app
|
from web import app
|
||||||
from db import session, Folder, Artist
|
from db import session, Folder, Artist
|
||||||
from scanner import Scanner
|
from scanner import Scanner
|
||||||
|
from user_manager import UserManager
|
||||||
|
|
||||||
|
@app.before_request
|
||||||
|
def check_admin():
|
||||||
|
if not request.path.startswith('/folder'):
|
||||||
|
return
|
||||||
|
|
||||||
|
if not UserManager.get(fl_sess.get('userid'))[1].admin:
|
||||||
|
return redirect(url_for('index'))
|
||||||
|
|
||||||
@app.route('/folder')
|
@app.route('/folder')
|
||||||
def folder_index():
|
def folder_index():
|
||||||
|
11
user.py
11
user.py
@ -6,6 +6,17 @@ from web import app
|
|||||||
from user_manager import UserManager
|
from user_manager import UserManager
|
||||||
from db import User
|
from db import User
|
||||||
|
|
||||||
|
@app.before_request
|
||||||
|
def check_admin():
|
||||||
|
if not request.path.startswith('/user') or request.endpoint in ('login', 'logout'):
|
||||||
|
return
|
||||||
|
|
||||||
|
if request.endpoint == 'add_user' and User.query.filter(User.admin == True).count() == 0:
|
||||||
|
return
|
||||||
|
|
||||||
|
if request.endpoint in ('user_index', 'add_user', 'del_user') and not UserManager.get(session.get('userid'))[1].admin:
|
||||||
|
return redirect(url_for('index'))
|
||||||
|
|
||||||
@app.route('/user')
|
@app.route('/user')
|
||||||
def user_index():
|
def user_index():
|
||||||
return render_template('users.html', users = User.query.all())
|
return render_template('users.html', users = User.query.all())
|
||||||
|
Loading…
Reference in New Issue
Block a user