login_as: fixed some issues

See https://gitea.planet-casio.com/devs/PCv5/issues/90#issuecomment-1131
This commit is contained in:
Darks 2021-03-06 11:36:35 +01:00
parent 87ef91b9e3
commit 8bdf3909ea
Signed by untrusted user: Darks
GPG Key ID: 7515644268BE1433
4 changed files with 13 additions and 10 deletions

View File

@ -48,7 +48,6 @@
# move.posts
# shoutbox.*
# misc.unlimited-pms
# misc.community-login
-
name: Administrateur
@ -62,7 +61,7 @@
move.posts
shoutbox.kick shoutbox.ban
misc.unlimited-pms misc.dev-infos misc.admin-panel
misc.no-upload-limits misc.arbitrary-login misc.community-login
misc.no-upload-limits misc.arbitrary-login
-
name: Modérateur
css: "color: green;"
@ -89,7 +88,7 @@
privs: forum.access.admin forum.post-news
publish.schedule-posts publish.pin-posts publish.shared-files
delete.shared-files
misc.no-upload-limits
misc.no-upload-limits misc.community-login
-
name: Responsable communauté
css: "color: DarkOrange;"
@ -97,7 +96,7 @@
l'évolution du monde autour de nous !"
privs: forum.access.admin forum.post-news
publish.schedule-posts publish.pin-posts publish.shared-files
delete.shared-files
delete.shared-files misc.community-login
-
name: Partenaire
css: "color: purple;"

View File

@ -5,7 +5,9 @@ from itsdangerous.exc import BadSignature
from app import app
from app.utils.render import render
from app.utils.login_as import is_vandal
from app.utils.unicode_names import normalize
from app.models.user import Member
from app.models.priv import Group
from app.forms.login_as import LoginAsForm
@ -25,14 +27,16 @@ def adm_login_as():
# Handle form
form = LoginAsForm()
if form.validate_on_submit():
user = Member.query.filter_by(name=form.username.data).first()
norm = normalize(form.username.data)
user = Member.query.filter_by(norm=norm).one()
if user is None:
flash("Utilisateur invalide", "error")
return render('admin/login_as.html', form=form)
# Apply for community login
is_community = True # TODO: check if user is community
if not is_community and not user.priv("misc.arbitrary-login"):
g = Group.query.filter_by(name="Compte communautaire").one()
is_community = g in user.groups
if not is_community and not current_user.priv("misc.arbitrary-login"):
abort(403)
# Create a safe token to flee when needed
@ -68,7 +72,7 @@ def adm_logout_as():
try:
id = s.loads(vandal_token)
except BadSignature:
flash("Vous avez vraiment agit de manière stupide.", "error")
flash("Vous avez vraiment agi de manière stupide.", "error")
abort(403)
user = Member.query.get(id)

View File

@ -5,7 +5,7 @@
{% endblock %}
{% block content %}
<section class="form" style="width:40%;">
<section class="form">
<form action="" method="post">
{{ form.hidden_tag() }}
<p>

View File

@ -5,7 +5,7 @@ from app import app
def is_vandal():
""" Return True is the current user looks like a vandal """
""" Return True if the current user looks like a vandal """
s = Serializer(app.config["SECRET_KEY"])
vandal_token = request.cookies.get('vandale')