projects / pgweb.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 648be85)
Add explicit group permissions check for varnish purge and pending mod
authorMagnus Hagander <magnus@hagander.net>
Fri, 26 Jan 2018 10:03:10 +0000 (11:03 +0100)
committerMagnus Hagander <magnus@hagander.net>
Fri, 26 Jan 2018 10:03:10 +0000 (11:03 +0100)
Previously we just used "is member of staff", but for better granuality
explicitly also check membership of groups. This introduces the new
group "varnish purgers" for that permission.

pgweb/core/views.py patch | blob | blame | history

diff --git a/pgweb/core/views.py b/pgweb/core/views.py
index 70f1dd54c06abd94b87bcce055e47f9e5f73f887..cdc91d9844556e649bed3bad51cc90223d98bbed 100644 (file)
--- a/pgweb/core/views.py
+++ b/pgweb/core/views.py
@@ -252,6 +252,7 @@ def sync_timestamp(request):
 # List of all unapproved objects, for the special admin page
 @login_required
 @user_passes_test(lambda u: u.is_staff)
+@user_passes_test(lambda u: u.groups.filter(name='web slaves').exists())
 def admin_pending(request):
        return render_to_response('core/admin_pending.html', {
                        'app_list': get_all_pending_moderations(),
@@ -260,6 +261,7 @@ def admin_pending(request):
 # Purge objects from varnish, for the admin pages
 @login_required
 @user_passes_test(lambda u: u.is_staff)
+@user_passes_test(lambda u: u.groups.filter(name='varnish purgers').exists())
 def admin_purge(request):
        if request.method == 'POST':
                url = request.POST['url']
This is the code for the postgresql.org website