self-hosted/Mailu
1
0
Fork 0
mirror of https://github.com/Mailu/Mailu.git synced 2025-11-25 22:12:28 +02:00
Code Issues Releases Activity

Enforce permission checks for admin management

Browse Source
This commit is contained in:
Pierre Jaury
2016-08-27 14:57:51 +02:00
parent ee6e9b2690
commit 3ea3bc1d8e
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
admin/freeposte/admin/views/admins.py
View File

@@ -10,6 +10,7 @@ import json
@app.route('/admin/list', methods=['GET']) @app.route('/admin/list', methods=['GET'])
@flask_login.login_required @flask_login.login_required
def admin_list(): def admin_list():
utils.require_global_admin()
admins = models.User.query.filter_by(global_admin=True) admins = models.User.query.filter_by(global_admin=True)
return flask.render_template('admin/list.html', admins=admins) return flask.render_template('admin/list.html', admins=admins)
@@ -17,6 +18,7 @@ def admin_list():
@app.route('/admin/create', methods=['GET', 'POST']) @app.route('/admin/create', methods=['GET', 'POST'])
@flask_login.login_required @flask_login.login_required
def admin_create(): def admin_create():
utils.require_global_admin()
form = forms.AdminForm() form = forms.AdminForm()
form.admin.choices = [ form.admin.choices = [
(user.email, user.email) (user.email, user.email)
@@ -39,6 +41,7 @@ def admin_create():
@utils.confirmation_required("delete admin {admin}") @utils.confirmation_required("delete admin {admin}")
@flask_login.login_required @flask_login.login_required
def admin_delete(admin): def admin_delete(admin):
utils.require_global_admin()
user = models.User.query.get(admin) user = models.User.query.get(admin)
if user: if user:
user.global_admin = False user.global_admin = False