Restrict user search/import to cf admins

All users can still enumerate local users, but the functionality to search the central database is restricted to admins only. Reported by Benjamin Flesch
author: Magnus Hagander 2023-02-21 14:19:01 +0000
committer: Magnus Hagander 2023-02-21 14:19:01 +0000
commit: fb632f22912fd30df3cdfc4c7c34a2293cafe885 (patch)
tree: a98ce3214a952a0ef2bb09e83483731169ffabc9 /pgcommitfest/commitfest/ajax.py
parent: 65eef28f69f6b20b466d0754e37c8d234c9ec825 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/pgcommitfest/commitfest/ajax.py b/pgcommitfest/commitfest/ajax.py
index c188684..e334c57 100644
--- a/pgcommitfest/commitfest/ajax.py
+++ b/pgcommitfest/commitfest/ajax.py
@@ -223,6 +223,9 @@ def detachThread(request):
 
 
 def searchUsers(request):
+    if not request.user.is_staff:
+        return []
+
     if request.GET.get('s', ''):
         return user_search(request.GET['s'])
     else:
@@ -230,6 +233,9 @@ def searchUsers(request):
 
 
 def importUser(request):
+    if not request.user.is_staff:
+        raise Http404()
+
     if request.GET.get('u', ''):
         u = user_search(userid=request.GET['u'])
         if len(u) != 1:
author	Magnus Hagander	2023-02-21 14:19:01 +0000
committer	Magnus Hagander	2023-02-21 14:19:01 +0000
commit	fb632f22912fd30df3cdfc4c7c34a2293cafe885 (patch)
tree	a98ce3214a952a0ef2bb09e83483731169ffabc9 /pgcommitfest/commitfest/ajax.py
parent	65eef28f69f6b20b466d0754e37c8d234c9ec825 (diff)