From a42cefbbee178498afdd65ae0f774c2cdd99493f Mon Sep 17 00:00:00 2001
From: Frederick Yin <fkfd@fkfd.me>
Date: Wed, 27 Oct 2021 23:07:55 +0800
Subject: Admin console requires login to admin account

---
 jimbrella/admin.py | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

(limited to 'jimbrella/admin.py')

diff --git a/jimbrella/admin.py b/jimbrella/admin.py
index 4c604be..04a3f88 100644
--- a/jimbrella/admin.py
+++ b/jimbrella/admin.py
@@ -1,11 +1,26 @@
-from flask import Blueprint, request, render_template, redirect, url_for
+from flask import Blueprint, request, session, render_template, redirect, url_for, abort
 from user_agents import parse as user_agent
 from .database import Database
+from .users import Users
 from .exceptions import *
 from .config import *
 
 bp = Blueprint("admin", __name__, url_prefix="/admin")
 db = Database(DATABASE_PATH)
+users = Users(USERS_PATH)
+
+
+@bp.before_request
+def check_privilege():
+    # only clients who have obtained a session and sent it in the Cookie header
+    # will have a decryptable username here
+    if "username" not in session:
+        return redirect(url_for("auth.login"))
+
+    username = session["username"]
+    user = users.find(username)  # under normal circumstances it must exist
+    if user["role"] != "admin":
+        abort(403)
 
 
 @bp.route("/")
-- 
cgit v1.2.3