BUGFIX: Fix ``admin_required`` decorator to not redirect connected users with no admin credentials in infinite loop. #32

Merged
merged 1 commit into from Oct 2, 2012

Projects

None yet

2 participants

@mouadino

Hi,

First of all, i want to thanks all the responsible for this great project, it was very helpful to me and to make it more so, allow me to make my contribution, hopefully it will be helpful to someone other than me.

Description:

When a logged in user with no admin credentials try to access a URL which require admin credential, the user will be trapped in an infinite loop of redirects.

How to reproduce:

  • First of all you need to be in production environment.
  • Logged in using a user with no admin credentials.
  • Try now to access an URL that require admin credentials.
  • You should see now that you are trapped in a loop of infinite redirect.

My fix:

The new code is simple, basically it only redirect not logged in users to the login URL:

if users.get_current_user(): 
    if not users.is_current_user_admin():
         abort(401) 
    return func(*args, **kwargs)
return redirect(users.create_login_url(request.url))

Drawbacks:

One drawback of this new code, is that in development environment, if you are already logged in with no admin user and you try to access an admin page you will have to logged out before you can try again.

HTH,

mouad

@kamalgill kamalgill merged commit 5696f24 into kamalgill:master Oct 2, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment