From 9d97fc92d82289301896c88f8c828321aa99701d Mon Sep 17 00:00:00 2001 From: Andrew Godwin Date: Wed, 16 Nov 2022 21:14:05 -0700 Subject: Should probably limit system settings to admins --- users/decorators.py | 5 +++++ users/views/settings_system.py | 10 +++++++--- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/users/decorators.py b/users/decorators.py index d373692..5226460 100644 --- a/users/decorators.py +++ b/users/decorators.py @@ -1,5 +1,6 @@ from functools import wraps +from django.contrib.auth.decorators import user_passes_test from django.contrib.auth.views import redirect_to_login from django.http import HttpResponseRedirect @@ -26,3 +27,7 @@ def identity_required(function): return function(request, *args, **kwargs) return inner + + +def admin_required(function): + return user_passes_test(lambda user: user.admin)(function) diff --git a/users/views/settings_system.py b/users/views/settings_system.py index bfd9fb7..e5e9e85 100644 --- a/users/views/settings_system.py +++ b/users/views/settings_system.py @@ -9,16 +9,16 @@ from django.utils.decorators import method_decorator from django.views.generic import FormView, RedirectView, TemplateView from core.models import Config -from users.decorators import identity_required +from users.decorators import admin_required from users.models import Domain -@method_decorator(identity_required, name="dispatch") +@method_decorator(admin_required, name="dispatch") class SystemSettingsRoot(RedirectView): url = "/settings/system/basic/" -@method_decorator(identity_required, name="dispatch") +@method_decorator(admin_required, name="dispatch") class SystemSettingsPage(FormView): """ Shows a settings page dynamically created from our settings layout @@ -100,6 +100,7 @@ class BasicPage(SystemSettingsPage): } +@method_decorator(admin_required, name="dispatch") class DomainsPage(TemplateView): template_name = "settings/settings_system_domains.html" @@ -111,6 +112,7 @@ class DomainsPage(TemplateView): } +@method_decorator(admin_required, name="dispatch") class DomainCreatePage(FormView): template_name = "settings/settings_system_domain_create.html" @@ -170,6 +172,7 @@ class DomainCreatePage(FormView): return redirect(Domain.urls.root) +@method_decorator(admin_required, name="dispatch") class DomainEditPage(FormView): template_name = "settings/settings_system_domain_edit.html" @@ -215,6 +218,7 @@ class DomainEditPage(FormView): } +@method_decorator(admin_required, name="dispatch") class DomainDeletePage(TemplateView): template_name = "settings/settings_system_domain_delete.html" -- cgit v1.2.3