upstream/kallithea Commit - r305:61be6dcd

protected admin controllers

marcink -

r305:61be6dcd default

parent child

pylons_app/controllers/admin.py

0 +3 -5

              from pylons_app.model import meta
              from pylons_app.model.db import UserLog
              from webhelpers.paginate import Page
-             from pylons_app.lib.auth import LoginRequired
+             from pylons_app.lib.auth import LoginRequired, HasPermissionAllDecorator
              log = logging.getLogger(__name__)
                  @LoginRequired()
                  def __before__(self):
-                     user = session['hg_app_user']
-                     c.admin_user = user.is_admin
-                     c.admin_username = user.username
                      super(AdminController, self).__before__()
+                 @HasPermissionAllDecorator('hg.admin')
                  def index(self):
                      sa = meta.Session

pylons_app/controllers/permissions.py

0 +19 -6

              permissions controller for pylons
              @author: marcink
              """
+             from formencode import htmlfill
+             from pylons import request, session, tmpl_context as c, url
+             from pylons.controllers.util import abort, redirect
+             from pylons.i18n.translation import _
+             from pylons_app.lib import helpers as h
+             from pylons_app.lib.auth import LoginRequired, HasPermissionAllDecorator
+             from pylons_app.lib.base import BaseController, render
+             from pylons_app.model.db import User, UserLog
+             from pylons_app.model.forms import UserForm
+             from pylons_app.model.user_model import UserModel
+             import formencode
              import logging
-             from pylons import request, response, session, tmpl_context as c, url
-             from pylons.controllers.util import abort, redirect
-             from pylons_app.lib.base import BaseController, render
              log = logging.getLogger(__name__)
              class PermissionsController(BaseController):
                  # To properly map this controller, ensure your config/routing.py
                  # file has a resource setup:
                  #     map.resource('permission', 'permissions')
+                 @LoginRequired()
+                 @HasPermissionAllDecorator('hg.admin')
+                 def __before__(self):
+                     c.admin_user = session.get('admin_user')
+                     c.admin_username = session.get('admin_username')
+                     super(PermissionsController, self).__before__()
                  def index(self, format='html'):
                      """GET /permissions: All items in the collection"""
                      # url('permissions')

pylons_app/controllers/users.py

0 +6 -4

              users controller for pylons
              @author: marcink
              """
-             import logging
+             from formencode import htmlfill
              from pylons import request, session, tmpl_context as c, url
              from pylons.controllers.util import abort, redirect
              from pylons.i18n.translation import _
              from pylons_app.lib import helpers as h
-             from pylons_app.lib.auth import LoginRequired
+             from pylons_app.lib.auth import LoginRequired, HasPermissionAllDecorator
              from pylons_app.lib.base import BaseController, render
              from pylons_app.model.db import User, UserLog
              from pylons_app.model.forms import UserForm
              from pylons_app.model.user_model import UserModel
              import formencode
-             from formencode import htmlfill
+             import logging
              log = logging.getLogger(__name__)
                  # To properly map this controller, ensure your config/routing.py
                  # file has a resource setup:
                  #     map.resource('user', 'users')
                  @LoginRequired()
+                 @HasPermissionAllDecorator('hg.admin')
                  def __before__(self):
                      c.admin_user = session.get('admin_user')
                      c.admin_username = session.get('admin_username')
                                  % form_result['username'], category='error')
                      return redirect(url('users'))
                  def delete(self, id):
                      """DELETE /users/id: Delete an existing item"""
                      # Forms posted to this method should contain a hidden field:

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages