bitvend: move admin access to vending-admin group

2023-11-11 21:48:21 +01:00 · 2023-11-11 21:48:21 +01:00 · ef71d8732a
parent a9012778fc
commit ef71d8732a
2 changed files with 43 additions and 11 deletions
--- a/bitvend/admin.py
+++ b/bitvend/admin.py
@ -1,13 +1,52 @@
-from flask import Blueprint, render_template, redirect, request, flash, url_for
+import time
+
+from six import wraps
+from flask import (
+    Blueprint,
+    render_template,
+    redirect,
+    request,
+    flash,
+    url_for,
+    session,
+    abort,
+)
 from flask_login import current_user, fresh_login_required

-from bitvend import dev
+from bitvend import dev, spaceauth
 from bitvend.models import db, Transaction
 from bitvend.forms import ManualForm
 from spaceauth import cap_required


-admin_required = cap_required("staff")
+def get_user_groups():
+    groups = session.get("groups", [])
+    groups_uid = session.get("groups_uid", "")
+    groups_ts = session.get("groups_ts", 0)
+
+    if not groups or groups_uid != current_user.uid or time.time() - groups_ts >= 60.0:
+        groups = spaceauth.remote.get("/api/1/userinfo").data.get("groups")
+
+        session["groups"] = groups
+        session["groups_ts"] = time.time()
+        session["groups_uid"] = current_user.uid
+
+    return session["groups"]
+
+
+# Checks if user is a member of vending-admin group
+def admin_required(fn):
+    @wraps(fn)
+    def wrapped(*args, **kwargs):
+        groups = get_user_groups()
+        if "vending-admin" not in groups:
+            abort(403)
+
+        return fn(*args, **kwargs)
+
+    return wrapped
+
+
 bp = Blueprint("admin", __name__)


--- a/bitvend/views.py
+++ b/bitvend/views.py
@ -32,7 +32,7 @@ def index():
        transfer_form=TransferForm(),
        hallofshame=hall_of_shame(),
        hallofaddicts=hall_of_addicts(),
-        hallofaddicts_30d=hall_of_addicts(window=24*30),
+        hallofaddicts_30d=hall_of_addicts(window=24 * 30),
        bottles_purchased=bottles_purchased(),
    )

@ -65,13 +65,6 @@ def transfer():
    return redirect(url_for(".index"))


-@bp.route("/log")
-@login_required
-@cap_required("staff")
-def log():
-    return render_template("log.html", transactions=Transaction.query.all())
-
-
@bp.route("/begin")
@login_required
 def begin():