From 6d618c7203a3a384e9497f7d83768df700ae7e9b Mon Sep 17 00:00:00 2001
From: Philipp Spitzer <philipp@spitzer.priv.at>
Date: Mon, 22 Jun 2020 23:14:16 +0200
Subject: [PATCH] Prepare to restrict access to administrators

---
 setup.py            |  1 +
 wradmin/__init__.py | 38 ++++++++++++++++++++++++++++++++++----
 2 files changed, 35 insertions(+), 4 deletions(-)

diff --git a/setup.py b/setup.py
index 0546aa7..430f8e1 100644
--- a/setup.py
+++ b/setup.py
@@ -15,6 +15,7 @@ setup(
         "wrpylib>=0.6.0",
         "Flask",
         "Flask-Login",
+        "Flask-Principal",
         "Flask-WTF",
         "mysqlclient",
     ],
diff --git a/wradmin/__init__.py b/wradmin/__init__.py
index ebb1c94..92ba2d3 100644
--- a/wradmin/__init__.py
+++ b/wradmin/__init__.py
@@ -1,4 +1,5 @@
-from flask import Flask, send_from_directory, abort, g, render_template, request, redirect, url_for, flash
+from flask import Flask, send_from_directory, abort, g, render_template, request, redirect, url_for, flash, \
+    session, current_app
 from sqlalchemy.engine import create_engine
 import wradmin.model
 import wradmin.template_helper
@@ -9,6 +10,8 @@ from wradmin.controllers.coordtool import CoordtoolController
 from wradmin.auth import password_is_correct
 from wradmin.auth.forms import LoginForm
 from flask_login import LoginManager, current_user, login_required, login_user, logout_user
+from flask_principal import Principal, Permission, RoleNeed, identity_changed, identity_loaded, Identity, \
+    AnonymousIdentity, UserNeed
 
 
 app = Flask(__name__)
@@ -17,6 +20,8 @@ wradmin.model.init_model(create_engine(app.config['DATABASE_URI']))
 app.jinja_env.globals.update(h=wradmin.template_helper.PylonsHelper())
 login_manager = LoginManager(app)
 login_manager.login_view = "login"
+principals = Principal(app)
+admin_permission = Permission(RoleNeed('admin'))
 
 
 @app.before_request
@@ -36,74 +41,85 @@ def index():
 
 
 @app.route("/rodelbahn/list")
+@login_required
 def rodelbahn_list():
     return RodelbahnController().list()
 
 
 @app.route("/rodelbahn/view/<int:id>")
+@admin_permission.require()
 def rodelbahn_view(id):
     return RodelbahnController().view(id)
 
 
 @app.route("/rodelbahn/update")
+@admin_permission.require()
 def rodelbahn_update():
     return RodelbahnController().update()
 
 
 @app.route("/rodelbahn/update_regioncache")
+@login_required
 def rodelbahn_update_regioncache():
     return RodelbahnController().update_regioncache()
 
 
 @app.route("/rodelbahn/update_mapcache")
+@login_required
 def rodelbahn_update_mapcache():
     return RodelbahnController().update_mapcache()
 
 
 @app.route("/bericht/list")
-@login_required
+@admin_permission.require()
 def bericht_list():
     return BerichtController().list()
 
 
 @app.route("/bericht/view/<int:id>")
-@login_required
+@admin_permission.require()
 def bericht_view(id):
     return BerichtController().view(id)
 
 
 @app.route("/bericht/change_date_invalid/<int:id>", methods=['POST'])
-@login_required
+@admin_permission.require()
 def bericht_change_date_invalid(id):
     return BerichtController().change_date_invalid(id)
 
 
 @app.route("/bericht/update_reportcache")
+@login_required
 def bericht_update_reportcache():
     return BerichtController().update_reportcache()
 
 
 @app.route("/gasthaus/list")
+@login_required
 def gasthaus_list():
     return GasthausController().list()
 
 
 @app.route("/gasthaus/view/<int:id>")
+@login_required
 def gasthaus_view(id):
     return GasthausController().view(id)
 
 
 @app.route("/gasthaus/update")
+@login_required
 def gasthaus_update():
     return GasthausController().update()
 
 
 @app.route("/coordtool/index")
+@login_required
 def coordtool_index():
     return CoordtoolController().index()
 
 
 @app.route("/coordtool/convert", methods=['POST'])
+@login_required
 def coordtool_convert():
     return CoordtoolController().convert()
 
@@ -115,6 +131,7 @@ def login():
         user = wradmin.model.meta.Session.query(wradmin.model.MwUser).filter_by(user_name=form.user_name.data).first()
         if user is not None and password_is_correct(form.password.data, user.user_password.decode()):
             login_user(user, form.remember_me.data)
+            identity_changed.send(current_app._get_current_object(), identity=Identity(user.get_id()))
             next = request.args.get('next')
             if next is None or not next.startswith('/'):
                 next = url_for('index')
@@ -127,6 +144,9 @@ def login():
 @app.route("/logout")
 def logout():
     logout_user()
+    for key in ('identity.name', 'identity.auth_type'):
+        session.pop(key, None)
+    identity_changed.send(current_app._get_current_object(), identity=AnonymousIdentity())
     flash('Sie wurden ausgeloggt.')
     return redirect(url_for('index'))
 
@@ -134,3 +154,13 @@ def logout():
 @login_manager.user_loader
 def user_loader(user_id):
     return wradmin.model.meta.Session.query(wradmin.model.MwUser).get(user_id)
+
+
+@identity_loaded.connect_via(app)
+def on_identity_loaded(sender, identity):
+    identity.user = current_user
+    user_id = current_user.get_id()
+    if user_id is not None:
+        identity.provides.add(UserNeed(user_id))
+        if current_user.user_name == b'Philipp':
+            identity.provides.add(RoleNeed('admin'))
-- 
2.39.5