peterstockings/workout
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Ensure only admins can delete users/exercises and users can only edit there own name

Browse Source
This commit is contained in:
Peter Stockings
2026-01-31 14:19:16 +11:00
parent 32719cc141
commit 62080b97a4
2 changed files with 32 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
decorators.py
View File

@@ -97,11 +97,30 @@ ACTION_MAP = {
'tags.delete_tag': 'delete this tag',
'tags.add_tag_to_workout': 'add a tag to this workout',
'tags.create_new_tag_for_workout': 'create a new tag for this workout',
'programs.create_program': 'create a workout program',
'workout.create_program': 'create a workout program',
'programs.delete_program': 'delete this workout program',
'delete_exercise': 'delete an exercise',
'delete_person': 'delete a user',
}
def admin_required(func):
@wraps(func)
def wrapper(*args, **kwargs):
if not current_user.is_authenticated or not getattr(current_user, 'is_admin', False):
from flask import flash
msg = "You must be an admin to perform this action."
if request.endpoint in ACTION_MAP:
msg = f"You must be an admin to {ACTION_MAP[request.endpoint]}."
flash(msg, "warning")
if request.headers.get('HX-Request'):
return '', 200, {'HX-Redirect': url_for('dashboard')}
return render_template('error.html', error='403', message=msg, url='/')
return func(*args, **kwargs)
return wrapper
def get_auth_message(endpoint, person_id=None, is_authenticated=False):
"""Generates a friendly authorization message."""
action = ACTION_MAP.get(endpoint)
@@ -128,8 +147,9 @@ def require_ownership(func):
def wrapper(*args, **kwargs):
person_id = get_person_id_from_context()
# Authorization check: must be logged in and the owner
if not current_user.is_authenticated or person_id is None or int(current_user.get_id()) != person_id:
# Authorization check: must be logged in and (the owner or an admin)
is_admin = getattr(current_user, 'is_admin', False)
if not current_user.is_authenticated or (person_id is not None and int(current_user.get_id()) != person_id and not is_admin):
from flask import flash
msg = get_auth_message(request.endpoint, person_id, is_authenticated=current_user.is_authenticated)
flash(msg, "info")