From: Magnus Hagander Date: Tue, 21 Feb 2023 14:19:01 +0000 (+0100) Subject: Restrict user search/import to cf admins X-Git-Url: http://git.postgresql.org/gitweb/?a=commitdiff_plain;h=fb632f22912fd30df3cdfc4c7c34a2293cafe885;p=pgcommitfest2.git Restrict user search/import to cf admins All users can still enumerate local users, but the functionality to search the central database is restricted to admins only. Reported by Benjamin Flesch --- diff --git a/pgcommitfest/commitfest/ajax.py b/pgcommitfest/commitfest/ajax.py index c188684..e334c57 100644 --- a/pgcommitfest/commitfest/ajax.py +++ b/pgcommitfest/commitfest/ajax.py @@ -223,6 +223,9 @@ def detachThread(request): def searchUsers(request): + if not request.user.is_staff: + return [] + if request.GET.get('s', ''): return user_search(request.GET['s']) else: @@ -230,6 +233,9 @@ def searchUsers(request): def importUser(request): + if not request.user.is_staff: + raise Http404() + if request.GET.get('u', ''): u = user_search(userid=request.GET['u']) if len(u) != 1: diff --git a/pgcommitfest/commitfest/templates/base_form.html b/pgcommitfest/commitfest/templates/base_form.html index 3f3094b..7f2b2ad 100644 --- a/pgcommitfest/commitfest/templates/base_form.html +++ b/pgcommitfest/commitfest/templates/base_form.html @@ -40,6 +40,7 @@ {%include "thread_attach.inc" %} {%endif%} +{%if user.is_staff%} +{%endif%} {%endblock%} {%block extrahead%} @@ -97,6 +99,7 @@ } }); {%endfor%} +{%if user.is_staff%} $('.selectize-control').after( $('Import user not listed').click(function () { search_and_store_user(); @@ -106,6 +109,7 @@ $('#searchUserModal').on('shown.bs.modal', function() { $('#searchUserSearchField').focus(); }); +{%endif%} /* Build our button callbacks */ $(document).ready(function() {