From 91d6e033cf74402f4ea494fedec7c7c88a4edc0c Mon Sep 17 00:00:00 2001
From: UlrichB22 <97119703+UlrichB22@users.noreply.github.com>
Date: Tue, 3 Sep 2024 21:39:41 +0200
Subject: [PATCH 1/2] Restrict all admin views to the superuser

---
 src/moin/apps/admin/views.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/moin/apps/admin/views.py b/src/moin/apps/admin/views.py
index 0a9ea34b9..aa8f4821e 100644
--- a/src/moin/apps/admin/views.py
+++ b/src/moin/apps/admin/views.py
@@ -75,6 +75,7 @@ def index():
 
 
 @admin.route("/user")
+@require_permission(SUPERUSER)
 def index_user():
     return render_template(
         "user/index_user.html",
@@ -359,6 +360,7 @@ def format_default(default):
 
 
 @admin.route("/highlighterhelp", methods=["GET"])
+@require_permission(SUPERUSER)
 def highlighterhelp():
     """display a table with list of available Pygments lexers"""
     import pygments.lexers
@@ -375,6 +377,7 @@ def highlighterhelp():
 
 
 @admin.route("/interwikihelp", methods=["GET"])
+@require_permission(SUPERUSER)
 def interwikihelp():
     """display a table with list of known interwiki names / urls"""
     headings = [_("InterWiki name"), _("URL")]
@@ -383,6 +386,7 @@ def interwikihelp():
 
 
 @admin.route("/itemsize", methods=["GET"])
+@require_permission(SUPERUSER)
 def itemsize():
     """display a table with item sizes"""
     headings = [_("Size"), _("Item name")]

From d1a30cf280659bfa2161d2458c590464a3070792 Mon Sep 17 00:00:00 2001
From: UlrichB22 <97119703+UlrichB22@users.noreply.github.com>
Date: Tue, 3 Sep 2024 21:57:44 +0200
Subject: [PATCH 2/2] admin views: adapt test_admin.py

---
 src/moin/apps/admin/_tests/test_admin.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/moin/apps/admin/_tests/test_admin.py b/src/moin/apps/admin/_tests/test_admin.py
index dcca5b773..fb40c20f6 100644
--- a/src/moin/apps/admin/_tests/test_admin.py
+++ b/src/moin/apps/admin/_tests/test_admin.py
@@ -1,4 +1,5 @@
 # Copyright: 2011 Sam Toyer
+# Copyright: 2024 MoinMoin:UlrichB
 # License: GNU GPL v2 (or any later version), see LICENSE.txt for details
 
 """
@@ -18,9 +19,9 @@
         ({"endpoint": "admin.userprofile", "user_name": "DoesntExist"}, "403 FORBIDDEN", ("<html>", "</html>")),
         ({"endpoint": "admin.wikiconfig"}, "403 FORBIDDEN", ("<html>", "</html>")),
         ({"endpoint": "admin.wikiconfighelp"}, "403 FORBIDDEN", ("<html>", "</html>")),
-        ({"endpoint": "admin.interwikihelp"}, "200 OK", ("<html>", "</html>")),
-        ({"endpoint": "admin.highlighterhelp"}, "200 OK", ("<html>", "</html>")),
-        ({"endpoint": "admin.itemsize"}, "200 OK", ("<html>", "</html>")),
+        ({"endpoint": "admin.interwikihelp"}, "403 FORBIDDEN", ("<html>", "</html>")),
+        ({"endpoint": "admin.highlighterhelp"}, "403 FORBIDDEN", ("<html>", "</html>")),
+        ({"endpoint": "admin.itemsize"}, "403 FORBIDDEN", ("<html>", "</html>")),
     ),
 )
 def test_admin(app, url_for_args, status, data):