Restrict user search/import to cf admins

All users can still enumerate local users, but the functionality to
search the central database is restricted to admins only.

Reported by Benjamin Flesch

2 files changed, 10 insertions, 0 deletions

diff --git a/pgcommitfest/commitfest/ajax.py b/pgcommitfest/commitfest/ajax.py
index c188684..e334c57 100644
--- a/pgcommitfest/commitfest/ajax.py
+++ b/pgcommitfest/commitfest/ajax.py
@@ -223,6 +223,9 @@ def detachThread(request):
 
 
 def searchUsers(request):
+    if not request.user.is_staff:
+        return []
+
     if request.GET.get('s', ''):
         return user_search(request.GET['s'])
     else:
@@ -230,6 +233,9 @@ def searchUsers(request):
 
 
 def importUser(request):
+    if not request.user.is_staff:
+        raise Http404()
+
     if request.GET.get('u', ''):
         u = user_search(userid=request.GET['u'])
         if len(u) != 1:
diff --git a/pgcommitfest/commitfest/templates/base_form.html b/pgcommitfest/commitfest/templates/base_form.html
index 3f3094b..7f2b2ad 100644
--- a/pgcommitfest/commitfest/templates/base_form.html
+++ b/pgcommitfest/commitfest/templates/base_form.html
@@ -40,6 +40,7 @@
 {%include "thread_attach.inc" %}
 {%endif%}
 
+{%if user.is_staff%}
 <div class="modal fade" id="searchUserModal" role="dialog">
   <div class="modal-dialog modal-lg">
     <div class="modal-content">
@@ -66,6 +67,7 @@
     </div>
   </div>
 </div>
+{%endif%}
 {%endblock%}
 
 {%block extrahead%}
@@ -97,6 +99,7 @@
       }
    });
 {%endfor%}
+{%if user.is_staff%}
    $('.selectize-control').after(
       $('<a href="#" class="btn btn-default btn-sm">Import user not listed</a>').click(function () {
           search_and_store_user();
@@ -106,6 +109,7 @@
 $('#searchUserModal').on('shown.bs.modal', function() {
 	  $('#searchUserSearchField').focus();
 });
+{%endif%}
 
 /* Build our button callbacks */
 $(document).ready(function() {