Admin can access every projects

CHANGELOG.rst

@@ -16,6 +16,7 @@ This document describes changes between each past release.
 ### Added
 
 - Add a new setting to allow public project creation (ALLOW_PUBLIC_PROJECT_CREATION)
+- With admin credentials, one can access every project
 
 ### Removed
 

budget/tests/tests.py

@@ -376,6 +376,13 @@ class BudgetTestCase(TestCase):
             c.get("/exit")
             self.assertNotIn('raclette', session)
 
+        # test that whith admin credentials, one can access every project
+        run.app.config['ADMIN_PASSWORD'] = generate_password_hash("pass")
+        with run.app.test_client() as c:
+            resp = c.post("/admin?goto=%2Fraclette", data={'admin_password': 'pass'})
+            self.assertNotIn("Authentication", resp.data.decode('utf-8'))
+            self.assertTrue(session['is_admin'])
+
     def test_admin_authentication(self):
         run.app.config['ADMIN_PASSWORD'] = generate_password_hash("pass")
         # Disable public project creation so we have an admin endpoint to test

budget/web.py

@@ -72,6 +72,7 @@ def add_project_id(endpoint, values):
 def pull_project(endpoint, values):
     """When a request contains a project_id value, transform it directly
     into a project by checking the credentials are stored in session.
+    With admin credentials, one can access every project.
 
     If not, redirect the user to an authentication form
     """
@@ -85,7 +86,8 @@ def pull_project(endpoint, values):
         if not project:
             raise Redirect303(url_for(".create_project",
                 project_id=project_id))
-        if project.id in session and session[project.id] == project.password:
+        is_admin = session.get('is_admin')
+        if project.id in session and session[project.id] == project.password or is_admin:
             # add project into kwargs and call the original function
             g.project = project
         else: