diff options
author | Marcin Kuzminski <marcin@python-works.com> | 2010-06-28 23:28:31 +0200 |
---|---|---|
committer | Marcin Kuzminski <marcin@python-works.com> | 2010-06-28 23:28:31 +0200 |
commit | cd35585f7b6cabc5421a3d835685d1649ac7b315 (patch) | |
tree | 19dec21460124156670bb4691e0cd15e205cad95 | |
parent | 2b649beb20ebc51783b17b9c61841c815be26769 (diff) |
protected admin controllers
-rw-r--r-- | pylons_app/controllers/admin.py | 8 | ||||
-rw-r--r-- | pylons_app/controllers/permissions.py | 23 | ||||
-rw-r--r-- | pylons_app/controllers/users.py | 10 |
3 files changed, 27 insertions, 14 deletions
diff --git a/pylons_app/controllers/admin.py b/pylons_app/controllers/admin.py index 52079611..5c62c16e 100644 --- a/pylons_app/controllers/admin.py +++ b/pylons_app/controllers/admin.py @@ -28,7 +28,7 @@ from pylons_app.lib.base import BaseController, render from pylons_app.model import meta from pylons_app.model.db import UserLog from webhelpers.paginate import Page -from pylons_app.lib.auth import LoginRequired +from pylons_app.lib.auth import LoginRequired, HasPermissionAllDecorator log = logging.getLogger(__name__) @@ -36,11 +36,9 @@ class AdminController(BaseController): @LoginRequired() def __before__(self): - user = session['hg_app_user'] - c.admin_user = user.is_admin - c.admin_username = user.username super(AdminController, self).__before__() - + + @HasPermissionAllDecorator('hg.admin') def index(self): sa = meta.Session diff --git a/pylons_app/controllers/permissions.py b/pylons_app/controllers/permissions.py index 011d7956..eea4ff9d 100644 --- a/pylons_app/controllers/permissions.py +++ b/pylons_app/controllers/permissions.py @@ -22,12 +22,18 @@ Created on April 27, 2010 permissions controller for pylons @author: marcink """ -import logging - -from pylons import request, response, session, tmpl_context as c, url +from formencode import htmlfill +from pylons import request, session, tmpl_context as c, url from pylons.controllers.util import abort, redirect - +from pylons.i18n.translation import _ +from pylons_app.lib import helpers as h +from pylons_app.lib.auth import LoginRequired, HasPermissionAllDecorator from pylons_app.lib.base import BaseController, render +from pylons_app.model.db import User, UserLog +from pylons_app.model.forms import UserForm +from pylons_app.model.user_model import UserModel +import formencode +import logging log = logging.getLogger(__name__) @@ -36,7 +42,14 @@ class PermissionsController(BaseController): # To properly map this controller, ensure your config/routing.py # file has a resource setup: # map.resource('permission', 'permissions') - + + @LoginRequired() + @HasPermissionAllDecorator('hg.admin') + def __before__(self): + c.admin_user = session.get('admin_user') + c.admin_username = session.get('admin_username') + super(PermissionsController, self).__before__() + def index(self, format='html'): """GET /permissions: All items in the collection""" # url('permissions') diff --git a/pylons_app/controllers/users.py b/pylons_app/controllers/users.py index b03c232a..687ec584 100644 --- a/pylons_app/controllers/users.py +++ b/pylons_app/controllers/users.py @@ -22,18 +22,18 @@ Created on April 4, 2010 users controller for pylons @author: marcink """ -import logging +from formencode import htmlfill from pylons import request, session, tmpl_context as c, url from pylons.controllers.util import abort, redirect from pylons.i18n.translation import _ from pylons_app.lib import helpers as h -from pylons_app.lib.auth import LoginRequired +from pylons_app.lib.auth import LoginRequired, HasPermissionAllDecorator from pylons_app.lib.base import BaseController, render from pylons_app.model.db import User, UserLog from pylons_app.model.forms import UserForm from pylons_app.model.user_model import UserModel import formencode -from formencode import htmlfill +import logging log = logging.getLogger(__name__) @@ -42,7 +42,9 @@ class UsersController(BaseController): # To properly map this controller, ensure your config/routing.py # file has a resource setup: # map.resource('user', 'users') + @LoginRequired() + @HasPermissionAllDecorator('hg.admin') def __before__(self): c.admin_user = session.get('admin_user') c.admin_username = session.get('admin_username') @@ -110,7 +112,7 @@ class UsersController(BaseController): % form_result['username'], category='error') return redirect(url('users')) - + def delete(self, id): """DELETE /users/id: Delete an existing item""" # Forms posted to this method should contain a hidden field: |