# HG changeset patch
# User Marcin Kuzminski <marcin@rhodecode.com>
# Date 2017-08-03 20:17:38
# Node ID 844b6602da1aa2295279df215c2467d18e4541f5
# Parent  9e69eb389acfbab3abdb408f2d477c53bb4857ed

auth: added @LoginRequired() decorators for user/user_group views.

- not really a secirity issue but for consistency we should have them (also provides nicer redirects)

diff --git a/rhodecode/apps/admin/views/user_groups.py b/rhodecode/apps/admin/views/user_groups.py
--- a/rhodecode/apps/admin/views/user_groups.py
+++ b/rhodecode/apps/admin/views/user_groups.py
@@ -51,6 +51,7 @@ class AdminUserGroupsView(BaseAppView, D
 
     # permission check in data loading of
     # `user_groups_list_data` via UserGroupList
+    @LoginRequired()
     @NotAnonymous()
     @view_config(
         route_name='user_groups', request_method='GET',
@@ -60,6 +61,7 @@ class AdminUserGroupsView(BaseAppView, D
         return self._get_template_context(c)
 
     # permission check inside
+    @LoginRequired()
     @NotAnonymous()
     @view_config(
         route_name='user_groups_data', request_method='GET',
diff --git a/rhodecode/apps/admin/views/users.py b/rhodecode/apps/admin/views/users.py
--- a/rhodecode/apps/admin/views/users.py
+++ b/rhodecode/apps/admin/views/users.py
@@ -69,6 +69,7 @@ class AdminUsersView(BaseAppView, DataGr
             # is a pyramid view
             raise HTTPFound('/')
 
+    @LoginRequired()
     @HasPermissionAllDecorator('hg.admin')
     @view_config(
         route_name='users', request_method='GET',
@@ -77,6 +78,7 @@ class AdminUsersView(BaseAppView, DataGr
         c = self.load_default_context()
         return self._get_template_context(c)
 
+    @LoginRequired()
     @HasPermissionAllDecorator('hg.admin')
     @view_config(
         # renderer defined below