external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(fastapi): only elevated users are allowed to suspend accounts

Browse source 
Signed-off-by: Kevin Morris <kevr@0cost.org>
This commit is contained in:
Kevin Morris 2021-11-08 18:18:41 -08:00
parent 446a082352
commit 85ebc72e8a
No known key found for this signature in database
GPG key ID: F7E46DED420788F3
5 changed files with 72 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

3
aurweb/auth.py
View file

@ -51,6 +51,9 @@ class AnonymousUser:
LangPreference = aurweb.config.get("options", "default_lang")
Timezone = aurweb.config.get("options", "default_timezone")
Suspended = 0
InactivityTS = 0
# A stub ssh_pub_key relationship.
ssh_pub_key = None

7
aurweb/routers/accounts.py
View file

@ -143,6 +143,10 @@ def process_account_form(request: Request, user: models.User, args: dict):
if not email or not username:
return (False, ["Missing a required field."])
inactive = args.get("J", False)
if not request.user.is_elevated() and inactive != bool(user.InactivityTS):
return (False, ["You do not have permission to suspend accounts."])
username_min_len = aurweb.config.getint("options", "username_min_len")
username_max_len = aurweb.config.getint("options", "username_max_len")
if not util.valid_username(args.get("U")):
@ -528,7 +532,8 @@ async def account_edit_post(request: Request,
user.Homepage = HP or user.Homepage
user.IRCNick = I or user.IRCNick
user.PGPKey = K or user.PGPKey
user.InactivityTS = datetime.utcnow().timestamp() if J else 0
user.Suspended = J
user.InactivityTS = int(datetime.utcnow().timestamp()) * int(J)
# If we update the language, update the cookie as well.
if L and L != user.LangPreference: