diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 6d42010e..e938db04 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -16,6 +16,7 @@ This document describes changes between each past release. ### Added - Add a new setting to allow public project creation (ALLOW_PUBLIC_PROJECT_CREATION) +- With admin credentials, one can access every project ### Removed diff --git a/budget/tests/tests.py b/budget/tests/tests.py index 0da05ed1..d49f3b5c 100644 --- a/budget/tests/tests.py +++ b/budget/tests/tests.py @@ -376,6 +376,13 @@ class BudgetTestCase(TestCase): c.get("/exit") self.assertNotIn('raclette', session) + # test that whith admin credentials, one can access every project + run.app.config['ADMIN_PASSWORD'] = generate_password_hash("pass") + with run.app.test_client() as c: + resp = c.post("/admin?goto=%2Fraclette", data={'admin_password': 'pass'}) + self.assertNotIn("Authentication", resp.data.decode('utf-8')) + self.assertTrue(session['is_admin']) + def test_admin_authentication(self): run.app.config['ADMIN_PASSWORD'] = generate_password_hash("pass") # Disable public project creation so we have an admin endpoint to test diff --git a/budget/web.py b/budget/web.py index 70715998..ecb6f7e8 100644 --- a/budget/web.py +++ b/budget/web.py @@ -72,6 +72,7 @@ def add_project_id(endpoint, values): def pull_project(endpoint, values): """When a request contains a project_id value, transform it directly into a project by checking the credentials are stored in session. + With admin credentials, one can access every project. If not, redirect the user to an authentication form """ @@ -85,7 +86,8 @@ def pull_project(endpoint, values): if not project: raise Redirect303(url_for(".create_project", project_id=project_id)) - if project.id in session and session[project.id] == project.password: + is_admin = session.get('is_admin') + if project.id in session and session[project.id] == project.password or is_admin: # add project into kwargs and call the original function g.project = project else: