From a9d2f19ea96c0322e18d113624de1c43265b053d Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon, 8 Jan 2024 17:49:17 +0000
Subject: [PATCH] analytics: Restrict access to admins only

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/web/analytics.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/web/analytics.py b/src/web/analytics.py
index 8eafe488..83a7d961 100644
--- a/src/web/analytics.py
+++ b/src/web/analytics.py
@@ -9,12 +9,20 @@ from . import ui_modules
 class IndexHandler(base.BaseHandler):
 	@tornado.web.authenticated
 	def get(self):
+		# Check access permissions
+		if not self.current_user.is_admin():
+			raise tornado.web.HTTPError(403)
+
 		self.render("analytics/index.html")
 
 
 class DocsHandler(base.BaseHandler):
 	@tornado.web.authenticated
 	def get(self):
+		# Check access permissions
+		if not self.current_user.is_admin():
+			raise tornado.web.HTTPError(403)
+
 		# Most Popular Pages
 		popular_pages = self.backend.analytics.get_most_popular_docs_pages(
 			self.request.host, since=datetime.timedelta(hours=24 * 365), limit=50)
-- 
2.47.3