From 3d65393f19e3843c1b0414ffed0dfd05ed7a8a6a Mon Sep 17 00:00:00 2001 From: Markus Hauschild Date: Fri, 22 Mar 2019 12:57:02 +0100 Subject: [PATCH] Properly protect create and list functionality --- dss.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/dss.py b/dss.py index 968a182..223717c 100755 --- a/dss.py +++ b/dss.py @@ -89,6 +89,9 @@ def create(): if not is_loggedin(): return render_template('error.html', message="You are not logged in. Please log in first.", nav=build_nav()) + if not is_admin(): + return render_template('error.html', message="You do not have administrative privileges. Please log in using an administrative account.", nav=build_nav()) + form = CreateForm() if form.validate_on_submit(): @@ -166,6 +169,9 @@ def list_users(): if not is_loggedin(): return render_template('error.html', message="You are not logged in. Please log in first.", nav=build_nav()) + if not is_admin(): + return render_template('error.html', message="You do not have administrative privileges. Please log in using an administrative account.", nav=build_nav()) + l = ldap.initialize(app.config.get('LDAP_URI', 'ldaps://127.0.0.1')) l.simple_bind_s(rdb.hget(session['uuid'], 'user'), rdb.hget(session['uuid'], 'pswd')) sr = l.search_s(app.config.get('LDAP_BASE'), ldap.SCOPE_SUBTREE, '(objectClass=posixAccount)', ['cn'])