From bef66507fd8b8df4b66c3a4730a6adc739c0c71e Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 21 Jan 2025 15:54:28 +0000
Subject: [PATCH] web: Create a handler that can only be called by admins

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/web/base.py | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/src/web/base.py b/src/web/base.py
index 959ddf7f..2a1767b2 100644
--- a/src/web/base.py
+++ b/src/web/base.py
@@ -627,6 +627,7 @@ class BaseHandler(tornado.web.RequestHandler):
 		if name:
 			return await self.backend.users.get_by_name(name)
 
+
 # XXX TODO
 BackendMixin = BaseHandler
 
@@ -852,3 +853,17 @@ class ratelimit(object):
 			return result
 
 		return wrapper
+
+
+class AdminHandler(BaseHandler):
+	"""
+		An extension of the base handler that can only be called by an admin
+	"""
+	@authenticated
+	async def prepare(self):
+		# Fetch the current user
+		current_user = await self.get_current_user()
+
+		# Fail if we don't have admin right
+		if not current_user.is_admin():
+			raise tornado.web.HTTPError(403, "admin rights required")
-- 
2.47.3