def perms(self):
return self.db.get("SELECT * FROM users_permissions WHERE user_id = %s", self.id)
- def has_perm(self, perm):
+ def has_perm(self, user):
"""
- Returns True if the user has the requested permission.
+ Check, if the given user has the right to perform administrative
+ operations on this user.
"""
- # Admins have the permission for everything.
- if self.is_admin():
+ # Anonymous people have no permission
+ if user is None:
+ return False
+
+ # Admins always have permission
+ if user.is_admin():
+ return True
+
+ # Users can edit themselves
+ if user == self:
return True
- # All others must be checked individually.
- return self.perms.get(perm, False) == True
+ # No permission
+ return False
@property
def sessions(self):
{% end %}
{% end %}
- <a class="success expanded button" href="/users/{{ user.name }}/repos/create">
- {{ _("Create Repository") }}
- </a>
+ {% if user.has_perm(current_user) %}
+ <a class="success expanded button" href="/users/{{ user.name }}/repos/create">
+ {{ _("Create Repository") }}
+ </a>
+ {% end %}
<div class="callout">
<div class="grid-x grid-padding-x">
if not user:
raise tornado.web.HTTPError(404, "Could not find user %s" % name)
- # XXX Check for permissions
+ # Check for permission
+ if not user.has_perm(self.current_user):
+ raise tornado.web.HTTPError(403)
self.render("users/delete.html", user=user)
if not user:
raise tornado.web.HTTPError(404, "Could not find user %s" % name)
- # XXX Check for permissions
+ # Check for permission
+ if not user.has_perm(self.current_user):
+ raise tornado.web.HTTPError(403)
with self.db.transaction():
user.delete()
if not user:
raise tornado.web.HTTPError(404, "Could not find user %s" % name)
- # XXX Check for permissions
+ # Check for permission
+ if not user.has_perm(self.current_user):
+ raise tornado.web.HTTPError(403)
self.render("users/edit.html", user=user)
if not user:
raise tornado.web.HTTPError(404, "Could not find user %s" % name)
- # XXX Check for permissions
+ # Check for permission
+ if not user.has_perm(self.current_user):
+ raise tornado.web.HTTPError(403)
with self.db.transaction():
pass
projects / pbs.git / commitdiff
