# HG changeset patch # User Marcin Kuzminski # Date 1277760511 -7200 # Node ID 61be6dcd49a0cb7ff88630f32f897627f3689ee1 # Parent 14478d98987004a6ee484f1f14b65448bde65e0d protected admin controllers diff -r 14478d989870 -r 61be6dcd49a0 pylons_app/controllers/admin.py --- a/pylons_app/controllers/admin.py Mon Jun 28 22:49:32 2010 +0200 +++ b/pylons_app/controllers/admin.py Mon Jun 28 23:28:31 2010 +0200 @@ -28,7 +28,7 @@ from pylons_app.model import meta from pylons_app.model.db import UserLog from webhelpers.paginate import Page -from pylons_app.lib.auth import LoginRequired +from pylons_app.lib.auth import LoginRequired, HasPermissionAllDecorator log = logging.getLogger(__name__) @@ -36,11 +36,9 @@ @LoginRequired() def __before__(self): - user = session['hg_app_user'] - c.admin_user = user.is_admin - c.admin_username = user.username super(AdminController, self).__before__() - + + @HasPermissionAllDecorator('hg.admin') def index(self): sa = meta.Session diff -r 14478d989870 -r 61be6dcd49a0 pylons_app/controllers/permissions.py --- a/pylons_app/controllers/permissions.py Mon Jun 28 22:49:32 2010 +0200 +++ b/pylons_app/controllers/permissions.py Mon Jun 28 23:28:31 2010 +0200 @@ -22,13 +22,19 @@ permissions controller for pylons @author: marcink """ +from formencode import htmlfill +from pylons import request, session, tmpl_context as c, url +from pylons.controllers.util import abort, redirect +from pylons.i18n.translation import _ +from pylons_app.lib import helpers as h +from pylons_app.lib.auth import LoginRequired, HasPermissionAllDecorator +from pylons_app.lib.base import BaseController, render +from pylons_app.model.db import User, UserLog +from pylons_app.model.forms import UserForm +from pylons_app.model.user_model import UserModel +import formencode import logging -from pylons import request, response, session, tmpl_context as c, url -from pylons.controllers.util import abort, redirect - -from pylons_app.lib.base import BaseController, render - log = logging.getLogger(__name__) class PermissionsController(BaseController): @@ -36,7 +42,14 @@ # To properly map this controller, ensure your config/routing.py # file has a resource setup: # map.resource('permission', 'permissions') - + + @LoginRequired() + @HasPermissionAllDecorator('hg.admin') + def __before__(self): + c.admin_user = session.get('admin_user') + c.admin_username = session.get('admin_username') + super(PermissionsController, self).__before__() + def index(self, format='html'): """GET /permissions: All items in the collection""" # url('permissions') diff -r 14478d989870 -r 61be6dcd49a0 pylons_app/controllers/users.py --- a/pylons_app/controllers/users.py Mon Jun 28 22:49:32 2010 +0200 +++ b/pylons_app/controllers/users.py Mon Jun 28 23:28:31 2010 +0200 @@ -22,18 +22,18 @@ users controller for pylons @author: marcink """ -import logging +from formencode import htmlfill from pylons import request, session, tmpl_context as c, url from pylons.controllers.util import abort, redirect from pylons.i18n.translation import _ from pylons_app.lib import helpers as h -from pylons_app.lib.auth import LoginRequired +from pylons_app.lib.auth import LoginRequired, HasPermissionAllDecorator from pylons_app.lib.base import BaseController, render from pylons_app.model.db import User, UserLog from pylons_app.model.forms import UserForm from pylons_app.model.user_model import UserModel import formencode -from formencode import htmlfill +import logging log = logging.getLogger(__name__) @@ -42,7 +42,9 @@ # To properly map this controller, ensure your config/routing.py # file has a resource setup: # map.resource('user', 'users') + @LoginRequired() + @HasPermissionAllDecorator('hg.admin') def __before__(self): c.admin_user = session.get('admin_user') c.admin_username = session.get('admin_username') @@ -110,7 +112,7 @@ % form_result['username'], category='error') return redirect(url('users')) - + def delete(self, id): """DELETE /users/id: Delete an existing item""" # Forms posted to this method should contain a hidden field: