web: Create a handler that can only be called by admins

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/web/base.py b/src/web/base.py
index 959ddf7f1f908c2b0963b9a9d837a07c4b01d9ee..2a1767b289e99d876a1d8b1002c9af6221c24ac0 100644 (file)
--- a/src/web/base.py
+++ b/src/web/base.py
@@ -627,6 +627,7 @@ class BaseHandler(tornado.web.RequestHandler):
                if name:
                        return await self.backend.users.get_by_name(name)
 
+
 # XXX TODO
 BackendMixin = BaseHandler
 
@@ -852,3 +853,17 @@ class ratelimit(object):
                        return result
 
                return wrapper
+
+
+class AdminHandler(BaseHandler):
+       """
+               An extension of the base handler that can only be called by an admin
+       """
+       @authenticated
+       async def prepare(self):
+               # Fetch the current user
+               current_user = await self.get_current_user()
+
+               # Fail if we don't have admin right
+               if not current_user.is_admin():
+                       raise tornado.web.HTTPError(403, "admin rights required")