diff --git a/app.py b/app.py
index 89e2772ece2..80d7e5feb89 100644
--- a/app.py
+++ b/app.py
@@ -15,7 +15,7 @@
from flask_commonmark import Commonmark
from werkzeug.urls import url_encode
from config import config
-from auth import auth_templates, current_user, requires_login
+from auth import auth_templates, current_user, requires_login, is_admin
from utils import db_get, db_get_many, db_set, timems, type_check, object_check, db_del
# app.py
@@ -165,9 +165,13 @@ def programs_page (request):
if query_lang:
query_lang = '?lang=' + query_lang
+ from_user = request.args.get('user') or None
+ if from_user and not is_admin (request):
+ return "unauthorized", 403
+
texts=TRANSLATIONS.data [lang] ['Programs']
- result = db_get_many ('programs', {'username': username}, True)
+ result = db_get_many ('programs', {'username': from_user or username}, True)
programs = []
now = timems ()
for item in result:
@@ -183,7 +187,7 @@ def programs_page (request):
programs.append ({'id': item ['id'], 'code': item ['code'], 'date': texts ['ago-1'] + ' ' + str (date) + ' ' + measure + ' ' + texts ['ago-2'], 'level': item ['level'], 'name': item ['name']})
- return render_template('programs.html', lang=requested_lang(), menu=render_main_menu('programs'), texts=texts, auth=TRANSLATIONS.data [lang] ['Auth'], programs=programs, username=username, current_page='programs', query_lang=query_lang)
+ return render_template('programs.html', lang=requested_lang(), menu=render_main_menu('programs'), texts=texts, auth=TRANSLATIONS.data [lang] ['Auth'], programs=programs, username=username, current_page='programs', query_lang=query_lang, from_user=from_user)
# @app.route('/post/', methods=['POST'])
# for now we do not need a post but I am leaving it in for a potential future
@@ -204,8 +208,9 @@ def index(level, step):
if not result:
return 'No such program', 404
# Allow both the owner of the program and the admin user to access the program
- if current_user(request) != os.getenv ('ADMIN_USER') and result ['username'] != current_user(request) ['username']:
- return 'No such program', 404
+ user = current_user (request)
+ if user ['username'] != result ['username'] and not is_admin (request):
+ return 'No such program!', 404
loaded_program = result ['code']
# We default to step 1 to provide a meaningful default assignment
step = 1
diff --git a/auth.py b/auth.py
index b0fdb1ff988..9e3dacf7b76 100644
--- a/auth.py
+++ b/auth.py
@@ -35,6 +35,10 @@ def current_user (request):
return user
return {'username': '', 'email': ''}
+def is_admin (request):
+ user = current_user (request)
+ return user ['username'] == os.getenv ('ADMIN_USER') or user ['email'] == os.getenv ('ADMIN_USER')
+
# The translations are imported here because current_user above is used by hedyweb.py and we need to avoid circular dependencies
import hedyweb
TRANSLATIONS = hedyweb.Translations ()
@@ -418,8 +422,7 @@ def auth_templates (page, lang, menu, request):
if page in ['signup', 'login', 'recover', 'reset']:
return render_template (page + '.html', lang=lang, auth=TRANSLATIONS.data [lang] ['Auth'], menu=menu, username=current_user (request) ['username'], current_page='login')
if page == 'admin':
- user = current_user (request)
- if user ['username'] != os.getenv ('ADMIN_USER') and user ['email'] != os.getenv ('ADMIN_USER'):
+ if not is_admin (request):
return 'unauthorized', 403
# After hitting 1k users, it'd be wise to add pagination.
diff --git a/templates/admin.html b/templates/admin.html
index 9d3fd10bdeb..d02a03d1e0b 100644
--- a/templates/admin.html
+++ b/templates/admin.html
@@ -8,6 +8,7 @@