Merge pull request moinwiki#1751 from UlrichB22/admin_permission

Restrict all admin views to the superuser
RogerHaase · Sep 5, 2024 · 5e46430 · 5e46430
2 parents e342611 + d1a30cf
commit 5e46430
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 3 deletions.
diff --git a/src/moin/apps/admin/_tests/test_admin.py b/src/moin/apps/admin/_tests/test_admin.py
@@ -1,4 +1,5 @@
 # Copyright: 2011 Sam Toyer
+# Copyright: 2024 MoinMoin:UlrichB
 # License: GNU GPL v2 (or any later version), see LICENSE.txt for details
 
 """
@@ -18,9 +19,9 @@
         ({"endpoint": "admin.userprofile", "user_name": "DoesntExist"}, "403 FORBIDDEN", ("<html>", "</html>")),
         ({"endpoint": "admin.wikiconfig"}, "403 FORBIDDEN", ("<html>", "</html>")),
         ({"endpoint": "admin.wikiconfighelp"}, "403 FORBIDDEN", ("<html>", "</html>")),
-        ({"endpoint": "admin.interwikihelp"}, "200 OK", ("<html>", "</html>")),
-        ({"endpoint": "admin.highlighterhelp"}, "200 OK", ("<html>", "</html>")),
-        ({"endpoint": "admin.itemsize"}, "200 OK", ("<html>", "</html>")),
+        ({"endpoint": "admin.interwikihelp"}, "403 FORBIDDEN", ("<html>", "</html>")),
+        ({"endpoint": "admin.highlighterhelp"}, "403 FORBIDDEN", ("<html>", "</html>")),
+        ({"endpoint": "admin.itemsize"}, "403 FORBIDDEN", ("<html>", "</html>")),
     ),
 )
 def test_admin(app, url_for_args, status, data):

diff --git a/src/moin/apps/admin/views.py b/src/moin/apps/admin/views.py
@@ -75,6 +75,7 @@ def index():
 
 
 @admin.route("/user")
+@require_permission(SUPERUSER)
 def index_user():
     return render_template(
         "user/index_user.html",
@@ -359,6 +360,7 @@ def format_default(default):
 
 
 @admin.route("/highlighterhelp", methods=["GET"])
+@require_permission(SUPERUSER)
 def highlighterhelp():
     """display a table with list of available Pygments lexers"""
     import pygments.lexers
@@ -375,6 +377,7 @@ def highlighterhelp():
 
 
 @admin.route("/interwikihelp", methods=["GET"])
+@require_permission(SUPERUSER)
 def interwikihelp():
     """display a table with list of known interwiki names / urls"""
     headings = [_("InterWiki name"), _("URL")]
@@ -383,6 +386,7 @@ def interwikihelp():
 
 
 @admin.route("/itemsize", methods=["GET"])
+@require_permission(SUPERUSER)
 def itemsize():
     """display a table with item sizes"""
     headings = [_("Size"), _("Item name")]