Fix some privacy issues

app/users/__init__.py

@@ -2,5 +2,17 @@ from flask import Blueprint
 
 
 bp = Blueprint('users', __name__)
+
+
+@bp.before_request
+@login_required
+def before_request():
+    '''
+    Ensures that the routes in this package can only be visited by users that
+    are logged in.
+    '''
+    pass
+
+
 from . import events, json_routes, routes
 from . import settings

app/users/json_routes.py

@@ -1,5 +1,5 @@
 from flask import abort, current_app
-from flask_login import current_user, login_required, logout_user
+from flask_login import current_user, logout_user
 from threading import Thread
 from app import db
 from app.decorators import content_negotiation
@@ -8,7 +8,6 @@ from . import bp
 
 
 @bp.route('/<hashid:user_id>', methods=['DELETE'])
-@login_required
 @content_negotiation(produces='application/json')
 def delete_user(user_id):
     def _delete_user(app, user_id):

app/users/routes.py

@@ -6,23 +6,21 @@ from flask import (
     url_for
 )
 from flask_breadcrumbs import register_breadcrumb
-from flask_login import current_user, login_required
+from flask_login import current_user
 import os
-from app.models import Corpus, User
+from app.models import User
 from . import bp
 from .utils import user_dynamic_list_constructor as user_dlc
 
 
 @bp.route('')
 @register_breadcrumb(bp, '.', '<i class="material-icons left">group</i>Users')
-@login_required
 def users():
     return redirect(url_for('main.social_area', _anchor='users'))
 
 
 @bp.route('/<hashid:user_id>')
 @register_breadcrumb(bp, '.entity', '', dynamic_list_constructor=user_dlc)
-@login_required
 def user(user_id):
     user = User.query.get_or_404(user_id)
     if not (user.is_public or user == current_user or current_user.is_administrator()):
@@ -35,7 +33,6 @@ def user(user_id):
 
 
 @bp.route('/<hashid:user_id>/avatar')
-@login_required
 def user_avatar(user_id):
     user = User.query.get_or_404(user_id)
     if not (user.is_public or user == current_user or current_user.is_administrator()):

app/users/settings/json_routes.py

@@ -1,5 +1,5 @@
 from flask import abort, request
-from flask_login import current_user, login_required
+from flask_login import current_user
 from app import db
 from app.decorators import content_negotiation
 from app.models import User, ProfilePrivacySettings
@@ -7,7 +7,6 @@ from . import bp
 
 
 @bp.route('/<hashid:user_id>/settings/profile-privacy/is-public', methods=['PUT'])
-@login_required
 @content_negotiation(consumes='application/json', produces='application/json')
 def update_user_profile_privacy_setting_is_public(user_id):
     user = User.query.get_or_404(user_id)
@@ -26,7 +25,6 @@ def update_user_profile_privacy_setting_is_public(user_id):
 
 
 @bp.route('/<hashid:user_id>/settings/profile-privacy/<string:profile_privacy_setting_name>', methods=['PUT'])
-@login_required
 @content_negotiation(consumes='application/json', produces='application/json')
 def update_user_profile_privacy_settings(user_id, profile_privacy_setting_name):
     user = User.query.get_or_404(user_id)

app/users/settings/routes.py

@@ -1,6 +1,6 @@
 from flask import abort, flash, g, redirect, render_template, url_for
 from flask_breadcrumbs import register_breadcrumb
-from flask_login import current_user, login_required
+from flask_login import current_user
 from app import db
 from app.models import Avatar, User
 from ..utils import user_endpoint_arguments_constructor as user_eac
@@ -16,7 +16,6 @@ from .forms import (
 
 @bp.route('/<hashid:user_id>/settings', methods=['GET', 'POST'])
 @register_breadcrumb(bp, '.entity.settings', '<i class="material-icons left">settings</i>Settings', endpoint_arguments_constructor=user_eac)
-@login_required
 def settings(user_id):
     user = User.query.get_or_404(user_id)
     if not (user == current_user or current_user.is_administrator()):