moepman/bk-dss
1
0
Fork 1
mirror of https://github.com/moepman/bk-dss synced 2024-12-22 18:24:27 +01:00
Code Releases Activity

Properly protect create and list functionality

Browse Source
This commit is contained in:
Markus 2019-03-22 12:57:02 +01:00
parent e4ed76957f
commit 3d65393f19
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
dss.py
View File

@ -89,6 +89,9 @@ def create():
if not is_loggedin(): if not is_loggedin():
return render_template('error.html', message="You are not logged in. Please log in first.", nav=build_nav()) return render_template('error.html', message="You are not logged in. Please log in first.", nav=build_nav())
if not is_admin():
return render_template('error.html', message="You do not have administrative privileges. Please log in using an administrative account.", nav=build_nav())
form = CreateForm() form = CreateForm()
if form.validate_on_submit(): if form.validate_on_submit():
@ -166,6 +169,9 @@ def list_users():
if not is_loggedin(): if not is_loggedin():
return render_template('error.html', message="You are not logged in. Please log in first.", nav=build_nav()) return render_template('error.html', message="You are not logged in. Please log in first.", nav=build_nav())
if not is_admin():
return render_template('error.html', message="You do not have administrative privileges. Please log in using an administrative account.", nav=build_nav())
l = ldap.initialize(app.config.get('LDAP_URI', 'ldaps://127.0.0.1')) l = ldap.initialize(app.config.get('LDAP_URI', 'ldaps://127.0.0.1'))
l.simple_bind_s(rdb.hget(session['uuid'], 'user'), rdb.hget(session['uuid'], 'pswd')) l.simple_bind_s(rdb.hget(session['uuid'], 'user'), rdb.hget(session['uuid'], 'pswd'))
sr = l.search_s(app.config.get('LDAP_BASE'), ldap.SCOPE_SUBTREE, '(objectClass=posixAccount)', ['cn']) sr = l.search_s(app.config.get('LDAP_BASE'), ldap.SCOPE_SUBTREE, '(objectClass=posixAccount)', ['cn'])