Restrict user search/import to cf admins

All users can still enumerate local users, but the functionality to
search the central database is restricted to admins only.

Reported by Benjamin Flesch

diff --git a/pgcommitfest/commitfest/ajax.py b/pgcommitfest/commitfest/ajax.py
index c188684e901385449ce4075d672c3a6b62635ab0..e334c57cf9eb74e631db0ba36c2619de0ce62739 100644 (file)
--- a/pgcommitfest/commitfest/ajax.py
+++ b/pgcommitfest/commitfest/ajax.py
@@ -223,6 +223,9 @@ def detachThread(request):
 
 
 def searchUsers(request):
+    if not request.user.is_staff:
+        return []
+
     if request.GET.get('s', ''):
         return user_search(request.GET['s'])
     else:
@@ -230,6 +233,9 @@ def searchUsers(request):
 
 
 def importUser(request):
+    if not request.user.is_staff:
+        raise Http404()
+
     if request.GET.get('u', ''):
         u = user_search(userid=request.GET['u'])
         if len(u) != 1:

diff --git a/pgcommitfest/commitfest/templates/base_form.html b/pgcommitfest/commitfest/templates/base_form.html
index 3f3094b0dde933856493958f395d6541903a8ac6..7f2b2adfbfeecaaa3adfd807168abf71f598d957 100644 (file)
--- a/pgcommitfest/commitfest/templates/base_form.html
+++ b/pgcommitfest/commitfest/templates/base_form.html
@@ -40,6 +40,7 @@
 {%include "thread_attach.inc" %}
 {%endif%}
 
+{%if user.is_staff%}
 <div class="modal fade" id="searchUserModal" role="dialog">
   <div class="modal-dialog modal-lg">
     <div class="modal-content">
@@ -66,6 +67,7 @@
     </div>
   </div>
 </div>
+{%endif%}
 {%endblock%}
 
 {%block extrahead%}
@@ -97,6 +99,7 @@
       }
    });
 {%endfor%}
+{%if user.is_staff%}
    $('.selectize-control').after(
       $('<a href="#" class="btn btn-default btn-sm">Import user not listed</a>').click(function () {
           search_and_store_user();
@@ -106,6 +109,7 @@
 $('#searchUserModal').on('shown.bs.modal', function() {
          $('#searchUserSearchField').focus();
 });
+{%endif%}
 
 /* Build our button callbacks */
 $(document).ready(function() {