monitorings: Add permission check

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/buildservice/releasemonitoring.py b/src/buildservice/releasemonitoring.py
index 1144434a0e77cd74624e602e14b8116349c2f710..84a5bc1bdcd5e8e5fd66ea70ce735f0c8de21946 100644 (file)
--- a/src/buildservice/releasemonitoring.py
+++ b/src/buildservice/releasemonitoring.py
@@ -252,6 +252,16 @@ class Monitoring(base.DataObject):
        def create_builds(self):
                return self.data.create_builds
 
+       # Permissions
+
+       def has_perm(self, user=None):
+               # Anonymous users can't perform any actions
+               if user is None:
+                       return False
+
+               # Users must be admins
+               return user.is_admin()
+
        # Check
 
        async def check(self):

diff --git a/src/templates/monitorings/show.html b/src/templates/monitorings/show.html
index 50449c27189a24542b62cbcb085e8faa9186c88d..ffc292d07cb365d86d8dda568bd6fa42e28c3cde 100644 (file)
--- a/src/templates/monitorings/show.html
+++ b/src/templates/monitorings/show.html
@@ -64,7 +64,7 @@
                </div>
        </section>
 
-       {% if current_user and current_user.is_admin() %}
+       {% if monitoring.has_perm(current_user) %}
                <section class="section">
                        <div class="container">
                                <div class="buttons">

diff --git a/src/web/monitorings.py b/src/web/monitorings.py
index 570192de695d1b8a2caab776bae8ac79c3f917de..c7b3ac5cfbc3c76d03616d4ea47472a50b72c0a3 100644 (file)
--- a/src/web/monitorings.py
+++ b/src/web/monitorings.py
@@ -39,6 +39,7 @@ class ShowHandler(base.BaseHandler):
 
 
 class CheckHandler(base.BaseHandler):
+       @tornado.web.authenticated
        async def post(self, slug, name):
                # Fetch the distribution
                distro = self.backend.distros.get_by_slug(slug)
@@ -50,6 +51,10 @@ class CheckHandler(base.BaseHandler):
                if not monitoring:
                        raise tornado.web.HTTPError(404, "Could not find monitoring for %s in %s" % (name, distro))
 
+               # Check permissions
+               if not monitoring.has_perm(self.current_user):
+                       raise tornado.web.HTTPError(403)
+
                # Perform check
                with self.db.transaction():
                        await monitoring.check()