From fb632f22912fd30df3cdfc4c7c34a2293cafe885 Mon Sep 17 00:00:00 2001 From: Magnus Hagander Date: Tue, 21 Feb 2023 15:19:01 +0100 Subject: [PATCH] Restrict user search/import to cf admins All users can still enumerate local users, but the functionality to search the central database is restricted to admins only. Reported by Benjamin Flesch --- pgcommitfest/commitfest/ajax.py | 6 ++++++ pgcommitfest/commitfest/templates/base_form.html | 4 ++++ 2 files changed, 10 insertions(+) diff --git a/pgcommitfest/commitfest/ajax.py b/pgcommitfest/commitfest/ajax.py index c188684..e334c57 100644 --- a/pgcommitfest/commitfest/ajax.py +++ b/pgcommitfest/commitfest/ajax.py @@ -223,6 +223,9 @@ def detachThread(request): def searchUsers(request): + if not request.user.is_staff: + return [] + if request.GET.get('s', ''): return user_search(request.GET['s']) else: @@ -230,6 +233,9 @@ def searchUsers(request): def importUser(request): + if not request.user.is_staff: + raise Http404() + if request.GET.get('u', ''): u = user_search(userid=request.GET['u']) if len(u) != 1: diff --git a/pgcommitfest/commitfest/templates/base_form.html b/pgcommitfest/commitfest/templates/base_form.html index 3f3094b..7f2b2ad 100644 --- a/pgcommitfest/commitfest/templates/base_form.html +++ b/pgcommitfest/commitfest/templates/base_form.html @@ -40,6 +40,7 @@ {%include "thread_attach.inc" %} {%endif%} +{%if user.is_staff%} +{%endif%} {%endblock%} {%block extrahead%} @@ -97,6 +99,7 @@ } }); {%endfor%} +{%if user.is_staff%} $('.selectize-control').after( $('Import user not listed').click(function () { search_and_store_user(); @@ -106,6 +109,7 @@ $('#searchUserModal').on('shown.bs.modal', function() { $('#searchUserSearchField').focus(); }); +{%endif%} /* Build our button callbacks */ $(document).ready(function() { -- 2.39.5