Implement authentication with before_request in admin package

This commit is contained in:
Patrick Jentsch 2021-12-13 12:20:32 +01:00
parent 82543d883f
commit e356be77da

View File

@ -8,16 +8,23 @@ from ..models import Role, User
from ..settings import tasks as settings_tasks from ..settings import tasks as settings_tasks
@bp.route('/') @bp.before_request
@login_required @login_required
@admin_required @admin_required
def before_request():
'''
Ensures that the routes in this package can be visited only by users with
administrator privileges (login_required and admin_required).
'''
pass
@bp.route('/')
def index(): def index():
return redirect(url_for('.users')) return redirect(url_for('.users'))
@bp.route('/users') @bp.route('/users')
@login_required
@admin_required
def users(): def users():
dict_users = {user.id: user.to_dict(backrefs=True, relationships=False) dict_users = {user.id: user.to_dict(backrefs=True, relationships=False)
for user in User.query.all()} for user in User.query.all()}
@ -26,16 +33,12 @@ def users():
@bp.route('/users/<hashid:user_id>') @bp.route('/users/<hashid:user_id>')
@login_required
@admin_required
def user(user_id): def user(user_id):
user = User.query.get_or_404(user_id) user = User.query.get_or_404(user_id)
return render_template('admin/user.html.j2', title='User', user=user) return render_template('admin/user.html.j2', title='User', user=user)
@bp.route('/users/<hashid:user_id>/delete') @bp.route('/users/<hashid:user_id>/delete')
@login_required
@admin_required
def delete_user(user_id): def delete_user(user_id):
settings_tasks.delete_user(user_id) settings_tasks.delete_user(user_id)
flash('User has been marked for deletion!') flash('User has been marked for deletion!')
@ -43,8 +46,6 @@ def delete_user(user_id):
@bp.route('/users/<hashid:user_id>/edit', methods=['GET', 'POST']) # noqa @bp.route('/users/<hashid:user_id>/edit', methods=['GET', 'POST']) # noqa
@login_required
@admin_required
def edit_user(user_id): def edit_user(user_id):
user = User.query.get_or_404(user_id) user = User.query.get_or_404(user_id)
form = EditGeneralSettingsAdminForm(user) form = EditGeneralSettingsAdminForm(user)
@ -62,5 +63,5 @@ def edit_user(user_id):
form.email.data = user.email form.email.data = user.email
form.role.data = user.role_id form.role.data = user.role_id
form.username.data = user.username form.username.data = user.username
return render_template('admin/edit_user.html.j2', form=form, return render_template(
title='Edit user', user=user) 'admin/edit_user.html.j2', form=form, title='Edit user', user=user)