Add simple model and views for admin users

HTML views for listing, adding and removing admin users, and a boolean admin column on the db table. This will need a db migration. Currently anyone can use these views. Currently being an admin doesn't do anything.
hypothesis · Jul 13, 2015 · 58f00c1 · 58f00c1
1 parent 9f94961
commit 58f00c1
Show file tree

Hide file tree

Showing 3 changed files with 71 additions and 0 deletions.
diff --git a/h/accounts/models.py b/h/accounts/models.py
@@ -77,6 +77,8 @@ class User(Base):
                       server_default=sa.sql.expression.false(),
                       nullable=False)
 
+    admin = sa.Column(sa.BOOLEAN, default=False, nullable=False)
+
     def _get_username(self):
         return self._username
 

diff --git a/h/accounts/views.py b/h/accounts/views.py
@@ -7,6 +7,7 @@
 from pyramid.security import forget
 from pyramid_mailer import get_mailer
 from pyramid_mailer.message import Message
+from sqlalchemy.sql import expression
 
 from h.resources import Application
 from h.notification.models import Subscriptions
@@ -574,6 +575,45 @@ def _update_subscription_data(request, subscription):
     request.session.flash(_('Changes saved!'), 'success')
 
 
+@view_config(attr='index', route_name='admin_users_index',
+             renderer='h:templates/admin_users.html',)
+@view_config(attr='create', route_name='admin_users_index',
+             request_method='POST', renderer='h:templates/admin_users.html')
+@view_config(attr='delete', route_name='admin_user_delete',
+             request_method='POST', renderer='h:templates/admin_users.html')
+class AdminController(object):
+    """A controller to contain the views for managing admin users.
+
+    For example listing all admin users, making a user an admin, removing admin
+    permissions from a user.
+
+    """
+    def __init__(self, request):
+        self.request = request
+
+    def index(self):
+        """A list of all the admin users as an HTML page."""
+        rows = self.request.db.query(User.username).filter(
+            User.admin == expression.true()).all()
+        admin_users = [row[0] for row in rows]
+        return {"admin_users": admin_users}
+
+    def create(self):
+        """Make a given user an admin."""
+        user_id = self.request.params['add']
+        user = User.get_by_username(user_id)
+        user.admin = True
+        return self.index()
+
+    def delete(self):
+        """Remove a user from the admins."""
+        user_id = self.request.params['remove']
+        user = User.get_by_username(user_id)
+        user.admin = False
+        return httpexceptions.HTTPSeeOther(
+            location=self.request.route_url('admin_users_index'))
+
+
 def includeme(config):
     config.add_route('login', '/login')
     config.add_route('logout', '/logout')
@@ -584,4 +624,6 @@ def includeme(config):
     config.add_route('forgot_password', '/forgot_password')
     config.add_route('reset_password', '/reset_password/{code}')
     config.add_route('disable_user', '/account/disable')
+    config.add_route('admin_users_index', '/admins')
+    config.add_route('admin_user_delete', '/admins/delete')
     config.scan(__name__)
diff --git a/h/templates/admin_users.html b/h/templates/admin_users.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8">
+    <title>Admin Users</title>
+  </head>
+  <body>
+
+  <form method="POST">
+    <input type="text" name="add"></input>
+    <input type="submit" value="Add"></input>
+
+    <ul>
+      {% for user in admin_users %}
+        <li>
+          {{ user }}
+          <button type="submit" name="remove" value="{{ user }}"
+                  formaction="{{ request.route_url('admin_user_delete') }}">
+            remove
+          </button>
+        </li>
+      {% endfor %}
+    </ul>
+  </form>
+
+  </body>
+</html>