Luke Plant avatar Luke Plant committed 69dbd94

Added security for adminCategories view

Comments (0)

Files changed (4)

src/Blog/Routes.hs

          , "feeds/" <+/> empty                        //-> infoPageView "feeds"   $ []
          , "login/" <+/> empty                        //-> loginView              $ []
          , "logout/" <+/> empty                       //-> logoutView             $ []
-         , "admin/category/" <+/> empty               //-> adminCategories        $ []
+         , "admin/category/" <+/> empty               //-> adminCategories        $ [adminRequired]
          , "debug/" <+/> anyParam                     //-> debug                  $ []
          ]

src/Blog/Views.hs

                         setStatus 404
                        ]
 
+return403 :: View
+return403 req = do
+  t <- get_template "forbidden"
+  return $ Just $ with (standardResponseTT req t) [
+                 setStatus 403
+                ]
+
+
 ---- Views
 
 -- View for the main page
       else Nothing
 
 
+-- Decorators
+
+-- | Decorate a view function with this to limit the view
+-- to users who are 'admins'
+
+adminRequired :: View -> View
+adminRequired view = \req -> do
+  creds <- getCredentials req
+  case creds of
+    Just n -> if n `elem` Settings.admin_usernames
+              then view req
+              else return403 req
+    Nothing -> return403 req
+
 -- Utilities
 
 getPage req = (getGET req "p") `captureOrDefault` 1 :: Int

src/Blog/settingslocal.hs

 prog_uri = "/cgi-bin/blog.cgi" -- Used for redirecting
 blog_author_name = "luke"
 reserved_names = [blog_author_name]
+admin_usernames = [blog_author_name]
 
 post_page_size = 20 :: Int
 domain = "lukeplant_local"

src/templates/forbidden.st

+$pagestart(pagetitle="Forbidden")$
+<h1>403 Forbidden</h1>
+<p>Permission denied.  You may need to <a href="/blog/login/">login</a></p>
+$pageend()$
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.