Prevent non-superusers from modifying site settings
Review Request #8330 — Created Aug. 15, 2016 and submitted
Previously, any staff member (superuser or non-superuser) could change
any of the site settings. We now prevent all non-superuser staff members
from accessing site settings views so that they cannot. A new decorator
(similar to Django'sstaff_member_required
) has been added to
accomplish this.
- Manually verified that superusers can still change settings.
- Manually verified that non-superusers are shown a permission denied
page. - Manually verified that unauthenticated users are shown a login form.
Description | From | Last Updated |
---|---|---|
This is no longer correct. It should probably also mention that users should use @login_required first. |
david | |
I think it's a little confusing to redirect to the login page if a user is already logged in. Can … |
david | |
It's only luck that's making flake8 not complain about this. Can we put all the arguments on the next line … |
david |
-
-
reviewboard/admin/decorators.py (Diff revision 1) I think it's a little confusing to redirect to the login page if a user is already logged in. Can we instead show a "permission denied" error?
-
reviewboard/admin/decorators.py (Diff revision 1) It's only luck that's making flake8 not complain about this. Can we put all the arguments on the next line and indented 4 spaces from the
return
?
Commit: |
|
||||
---|---|---|---|---|---|
Diff: |
Revision 2 (+54 -3) |
||||
Added Files: |
-
Tool: Pyflakes Processed Files: reviewboard/admin/views.py reviewboard/admin/decorators.py Ignored Files: reviewboard/templates/admin/permission_denied.html reviewboard/static/rb/css/pages/admin.less Tool: PEP8 Style Checker Processed Files: reviewboard/admin/views.py reviewboard/admin/decorators.py Ignored Files: reviewboard/templates/admin/permission_denied.html reviewboard/static/rb/css/pages/admin.less
-
-
reviewboard/admin/decorators.py (Diff revisions 1 - 2) This is no longer correct.
It should probably also mention that users should use
@login_required
first.
Commit: |
|
||||
---|---|---|---|---|---|
Diff: |
Revision 3 (+71 -3) |
-
Tool: Pyflakes Processed Files: reviewboard/admin/views.py reviewboard/admin/decorators.py Ignored Files: reviewboard/templates/admin/permission_denied.html reviewboard/static/rb/css/pages/admin.less Tool: PEP8 Style Checker Processed Files: reviewboard/admin/views.py reviewboard/admin/decorators.py Ignored Files: reviewboard/templates/admin/permission_denied.html reviewboard/static/rb/css/pages/admin.less
Testing Done: |
|
---|