1
0
mirror of https://github.com/moepman/bk-dss synced 2024-12-22 08:04:27 +01:00

Properly protect create and list functionality

This commit is contained in:
Markus 2019-03-22 12:57:02 +01:00
parent e4ed76957f
commit 3d65393f19

6
dss.py
View File

@ -89,6 +89,9 @@ def create():
if not is_loggedin():
return render_template('error.html', message="You are not logged in. Please log in first.", nav=build_nav())
if not is_admin():
return render_template('error.html', message="You do not have administrative privileges. Please log in using an administrative account.", nav=build_nav())
form = CreateForm()
if form.validate_on_submit():
@ -166,6 +169,9 @@ def list_users():
if not is_loggedin():
return render_template('error.html', message="You are not logged in. Please log in first.", nav=build_nav())
if not is_admin():
return render_template('error.html', message="You do not have administrative privileges. Please log in using an administrative account.", nav=build_nav())
l = ldap.initialize(app.config.get('LDAP_URI', 'ldaps://127.0.0.1'))
l.simple_bind_s(rdb.hget(session['uuid'], 'user'), rdb.hget(session['uuid'], 'pswd'))
sr = l.search_s(app.config.get('LDAP_BASE'), ldap.SCOPE_SUBTREE, '(objectClass=posixAccount)', ['cn'])