require admin for /admin/* paths

2023-09-22 21:15:02 +02:00 · 2023-09-22 21:15:02 +02:00 · bdfefcb234
parent 3fcb7d2a4f
commit bdfefcb234
1 changed files with 6 additions and 1 deletions
--- a/webapp/views.py
+++ b/webapp/views.py
@ -255,7 +255,9 @@ def ldap_get_all_users_groupped(conn):
@app.route('/admin/')
@login_required
 def admin_list():
-    # TODO: check if user is admin
+    if not flask.session['is_admin']:
+        flask.abort(403)
+
    conn = context.get_connection()
    user_groups = ldap_get_all_users_groupped(conn)

@ -288,6 +290,9 @@ def ldap_validate_uid(uid):
@app.route('/admin/users/<uid>')
@login_required
 def admin_user_view(uid):
+    if not flask.session['is_admin']:
+        flask.abort(403)
+
    conn = context.get_connection()
    ldap_validate_uid(uid)