From: Robert Haas <robertmhaas@gmail.com>
Date: Tue, 26 May 2009 20:55:25 +0000 (-0400)
Subject: Restrict new/edit/delete on CommitFests to administrators.
X-Git-Url: http://waps.l3s.uni-hannover.de/gitweb/?a=commitdiff_plain;h=75796dd6fbe25282c001f5fa7f0da2e21813656b;p=pgcommitfest.git

Restrict new/edit/delete on CommitFests to administrators.

The list of administrators is controlled by the new user_privilege table.
---

diff --git a/etc/table.sql b/etc/table.sql
index 44ae05f..c60a298 100644
--- a/etc/table.sql
+++ b/etc/table.sql
@@ -1,3 +1,9 @@
+CREATE TABLE user_privilege (
+	userid					varchar not null,
+	is_administrator		boolean not null,
+	PRIMARY KEY (userid)
+);
+
 CREATE TABLE session (
 	id						varchar not null,
 	userid     				varchar not null,
diff --git a/perl-lib/PgCommitFest/CommitFest.pm b/perl-lib/PgCommitFest/CommitFest.pm
index f16819d..b1b3d8d 100644
--- a/perl-lib/PgCommitFest/CommitFest.pm
+++ b/perl-lib/PgCommitFest/CommitFest.pm
@@ -4,7 +4,7 @@ use warnings;
 
 sub delete {
 	my ($r) = @_;
-	$r->authenticate('require_login' => 1);
+	$r->authenticate('require_login' => 1, 'require_administrator' => 1);
 	$r->set_title('Delete CommitFest');
 	my $d;
 	eval {
@@ -28,7 +28,7 @@ EOM
 
 sub form {
 	my ($r) = @_;
-	$r->authenticate('require_login' => 1);
+	$r->authenticate('require_login' => 1, 'require_administrator' => 1);
 
 	# Decide whether this is a new commitfest or an edit of an existing
 	# commitfest, and if editing reload data from database.
@@ -74,8 +74,11 @@ EOM
 
 sub search {
 	my ($r) = @_;
+	my $aa = $r->authenticate();
 	$r->set_title('CommitFest Index');
-	$r->add_link('/action/commitfest_form', 'New CommitFest');
+	if (defined $aa && $aa->{'is_administrator'}) {
+		$r->add_link('/action/commitfest_form', 'New CommitFest');
+	}
 	my $list = $r->db->select(<<EOM);
 SELECT id, name, commitfest_status FROM commitfest_view ORDER BY name DESC
 EOM
@@ -84,6 +87,7 @@ EOM
 
 sub view {
 	my ($r) = @_;
+	my $aa = $r->authenticate();
 	my $id = $r->cgi_id();
 	my $d = $r->db->select_one(<<EOM, $id) if defined $id;
 SELECT id, name, commitfest_status FROM commitfest_view WHERE id = ?
@@ -126,9 +130,12 @@ EOM
 	$r->add_link('/action/patch_form?commitfest=' . $id, 'New Patch');
 	$r->add_link('/action/commitfest_topic_search?id=' . $id,
 		'CommitFest Topics');
-	$r->add_link('/action/commitfest_form?id=' . $id, 'Edit CommitFest');
-	$r->add_link('/action/commitfest_delete?id=' . $id, 'Delete CommitFest',
-		'Are you sure you want to delete this CommitFest?');
+	if (defined $aa && $aa->{'is_administrator'}) {
+		$r->add_link('/action/commitfest_form?id=' . $id, 'Edit CommitFest');
+		$r->add_link('/action/commitfest_delete?id=' . $id,
+			'Delete CommitFest',
+			'Are you sure you want to delete this CommitFest?');
+	}
 	$r->render_template('commitfest_view', { 'd' => $d, 'patch_grouping' => [
 		{
 			'name' => 'Pending Patches',
diff --git a/perl-lib/PgCommitFest/Request.pm b/perl-lib/PgCommitFest/Request.pm
index 78911c7..3a89c41 100644
--- a/perl-lib/PgCommitFest/Request.pm
+++ b/perl-lib/PgCommitFest/Request.pm
@@ -58,7 +58,9 @@ sub authenticate {
 	if (!defined $self->{'authenticate'} && defined $self->cookie('session')) {
 		$self->{'authenticate'} =
 			$self->db->select_one(<<EOM, $self->cookie('session'));
-SELECT s.* FROM session s WHERE s.id = ?
+SELECT s.*, p.is_administrator FROM session s
+	LEFT JOIN user_privilege p ON s.userid = p.userid
+WHERE s.id = ?
 EOM
 	}
 	if (!defined $self->{'authenticate'} && $option{'require_login'}) {
@@ -69,6 +71,12 @@ EOM
 		}
 		$self->redirect('/action/login');
 	}
+	if (defined $self->{'authenticate'} && $option{'require_administrator'}
+		&& ! $self->{'authenticate'}{'is_administrator'}) {
+		$self->error_exit(<<EOM);
+This function is available only to administators.
+EOM
+	}
 	return $self->{'authenticate'};
 }