From b8e992c43abdda0210c08230c8fcb722e439594f Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri, 22 Nov 2019 10:48:21 +0000
Subject: [PATCH] people: Show stats only to staff

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/web/people.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/web/people.py b/src/web/people.py
index 1bd146d5..13d0617f 100644
--- a/src/web/people.py
+++ b/src/web/people.py
@@ -224,6 +224,10 @@ class SearchHandler(auth.CacheMixin, base.BaseHandler):
 class StatsHandler(auth.CacheMixin, base.BaseHandler):
 	@tornado.web.authenticated
 	def get(self):
+		# Only staff can see stats
+		if not self.current_user.is_staff():
+			raise tornado.web.HTTPError(403)
+
 		self.render("people/stats.html")
 
 
-- 
2.47.3