From ea8eda35a7bd831964c38b38cc9a5b19bcb44d6a Mon Sep 17 00:00:00 2001
From: 0livd <0livd@users.noreply.github.com>
Date: Thu, 18 May 2017 10:48:09 +0100
Subject: [PATCH] Public project creation and admin permissions (#210)

* Add a @requires_admin decorator

It can be used to protect specific endpoints with ADMIN_PASSWORD
(a password that is stored unencrypted in the settings)
The decorator has no effect if ADMIN_PASSWORD is an empty string (default value)

* Require admin permissions to access create project endpoint

When ADMIN_PASSWORD is not empty, project creation form on the
home page will be replaced by a link to the create project endpoint
so one is able to enter the admin password before filling the form
---
 budget/default_settings.py                    |   2 +
 budget/forms.py                               |   5 +++
 budget/templates/authenticate.html            |   6 +++
 budget/templates/forms.html                   |  10 +++++
 budget/templates/home.html                    |   4 ++
 budget/tests/tests.py                         |  21 ++++++++++
 .../translations/fr/LC_MESSAGES/messages.mo   | Bin 8040 -> 8226 bytes
 .../translations/fr/LC_MESSAGES/messages.po   |   8 ++++
 budget/web.py                                 |  39 +++++++++++++++++-
 9 files changed, 93 insertions(+), 2 deletions(-)

diff --git a/budget/default_settings.py b/budget/default_settings.py
index 210b3f20..15fe9cdd 100644
--- a/budget/default_settings.py
+++ b/budget/default_settings.py
@@ -10,3 +10,5 @@ SECRET_KEY = "tralala"
 MAIL_DEFAULT_SENDER = ("Budget manager", "budget@notmyidea.org")
 
 ACTIVATE_DEMO_PROJECT = True
+
+ADMIN_PASSWORD = ""
diff --git a/budget/forms.py b/budget/forms.py
index f4464751..06df7430 100644
--- a/budget/forms.py
+++ b/budget/forms.py
@@ -83,6 +83,11 @@ class AuthenticationForm(FlaskForm):
     submit = SubmitField(_("Get in"))
 
 
+class AdminAuthenticationForm(FlaskForm):
+    admin_password = PasswordField(_("Admin password"), validators=[Required()])
+    submit = SubmitField(_("Get in"))
+
+
 class PasswordReminder(FlaskForm):
     id = StringField(_("Project identifier"), validators=[Required()])
     submit = SubmitField(_("Send me the code by email"))
diff --git a/budget/templates/authenticate.html b/budget/templates/authenticate.html
index 98914d09..f241c487 100644
--- a/budget/templates/authenticate.html
+++ b/budget/templates/authenticate.html
@@ -7,7 +7,13 @@
 to") }} <a href="{{ url_for(".create_project", project_id=create_project) }}">{{ _("create it") }}</a>{{ _("?") }}
 </p>
 {% endif %}
+{% if admin_auth %}
+<form class="form-horizontal" method="POST" accept-charset="utf-8">
+    {{ forms.admin(form) }}
+</form>
+{% else %}
 <form class="form-horizontal" method="POST" accept-charset="utf-8">
     {{ forms.authenticate(form) }}
 </form>
+{% endif %}
 {% endblock %}
diff --git a/budget/templates/forms.html b/budget/templates/forms.html
index 01e54867..ffdd165b 100644
--- a/budget/templates/forms.html
+++ b/budget/templates/forms.html
@@ -45,6 +45,16 @@
 
 {% endmacro %}
 
+{% macro admin(form) %}
+
+    {% include "display_errors.html" %}
+
+    {{ form.hidden_tag() }}
+    {{ input(form.admin_password) }}
+    {{ submit(form.submit) }}
+
+{% endmacro %}
+
 {% macro create_project(form, home=False) %}
 
     {% include "display_errors.html" %}
diff --git a/budget/templates/home.html b/budget/templates/home.html
index edbee61a..c7a9d1e8 100644
--- a/budget/templates/home.html
+++ b/budget/templates/home.html
@@ -28,6 +28,9 @@
             </form>
         </div>
         <div class="col-3 offset-md-1">
+            {% if is_admin_mode_enabled %}
+            <a href="{{ url_for(".create_project") }}">...{{ _("or create a new one") }}</a>
+            {% else %}
             <form id="creation-form" class="form-horizontal" action="{{ url_for(".create_project") }}" method="post">
                 <fieldset class="form-group">
                     <legend>...{{ _("or create a new one") }}</legend>
@@ -37,6 +40,7 @@
                     <button class="btn" type="submit">{{ _("let's get started") }}</button>
                 </div>
             </form>
+            {% endif %}
         </main>
     </div>
 {% endblock %}
diff --git a/budget/tests/tests.py b/budget/tests/tests.py
index e18e9c32..a1cedfad 100644
--- a/budget/tests/tests.py
+++ b/budget/tests/tests.py
@@ -44,6 +44,8 @@ class TestCase(unittest.TestCase):
         # clean after testing
         models.db.session.remove()
         models.db.drop_all()
+        # reconfigure app with default settings
+        run.configure()
 
     def login(self, project, password=None, test_client=None):
         password = password or project
@@ -373,6 +375,25 @@ class BudgetTestCase(TestCase):
             c.get("/exit")
             self.assertNotIn('raclette', session)
 
+    def test_admin_authentication(self):
+        run.app.config['ADMIN_PASSWORD'] = "pass"
+
+        # test the redirection to the authentication page when trying to access admin endpoints
+        resp = self.app.get("/create")
+        self.assertIn('<a href="/admin?goto=%2Fcreate">', resp.data.decode('utf-8'))
+
+        # test right password
+        resp = self.app.post("/admin?goto=%2Fcreate", data={'admin_password': 'pass'})
+        self.assertIn('<a href="/create">/create</a>', resp.data.decode('utf-8'))
+
+        # test wrong password
+        resp = self.app.post("/admin?goto=%2Fcreate", data={'admin_password': 'wrong'})
+        self.assertNotIn('<a href="/create">/create</a>', resp.data.decode('utf-8'))
+
+        # test empty password
+        resp = self.app.post("/admin?goto=%2Fcreate", data={'admin_password': ''})
+        self.assertNotIn('<a href="/create">/create</a>', resp.data.decode('utf-8'))
+
     def test_manage_bills(self):
         self.post_project("raclette")
 
diff --git a/budget/translations/fr/LC_MESSAGES/messages.mo b/budget/translations/fr/LC_MESSAGES/messages.mo
index 1794c62c0829ef2d705a2b38c02038c453eede41..c824b18aeafe0f26a114e334bc629711589a1e0d 100644
GIT binary patch
delta 2109
zcmZ|Pe@K;A9LMo*dgtwjsre(9*SV)(*R0I2ZLJutTvAc4tu@Lv1jTFJh8lXW+ZyXh
z$Z(8NVOG#D%8<yS*o8(7S`jNNh-@2UtK9I9VIzXVBKFtbA9rBvkICcnI_Es+IX}MV
z``n?jV~hNO%s`j%_X+>`{NGDf?ccwHL9<Cz4`C^OgJJv=N8yCgX6cxPG}%<t5VLSB
zmS7q#bS}qn)YoB#nQwIzUZ5e4S@;=hAv-YzPhmDDFcbSQfOnD0e&?qC50C*ZWz0Vl
z=A!ChoPhID^DIZbw+b_v-_}v!vX7i`)Wkl%j5}O=4^E_h7RTc?oPs}L9zI9Cm&LXV
zF%PxSa@3BOBA30#tq7|zo%yYUf>yX6)$ydOpF^#<54Dq9n2NulLj4dGkzv;!<Yo2C
zMnz;g^2o}O%PP6){VLRv)}yb`Zlj=;cj06_h~0P*btJXCrGZ*e{o3$F?7&<+iW=}d
zDiS}ShmTx)I^i0kUWDbCNkYW&{WRh~gThT3G|(`HF_ny(j`L7EsY0DuD{6;6YGJ!j
zkvNXi@DzI3@18$F)?g{TG;%apKs^r?*##NIUxhbm;P|Y<xeDK)UWE&BFKU7PsGN9!
z%7HPQTQTOMB2<Bj%sZ%Yqxcdwp~n9TwUB+N+&JvJLN{{R32y3e0kyNssGVL%O>iHz
zqaoC1^%OO5fJ9Jx8Y(G6sP;14&3C#CweVjVY&QOdimYEq0whsbg7mSasEOA*Yf%f>
zglyWjVhDG-=e?LiJ%Ku+>sW$!P?1UEp~jnwip=Y%ao$BD;9D&Pg>nNHVjS6&9YQWU
z!%d&v_pbdODzuM~{Ip?I(y5c`AylLaQIRY~MPvagA|Il1pdK^y{kKz4NcN&SUP1E4
z{y^>I8R{1;Oaf>JGf@M*h4Ziy6}dLl!uO#1^&pph$4v|Q85zn3P#b=VLFTt)db0@|
zhk7s>HBbpEREtqNTa7yNYUEvOKqXhZt9QHS-{O4QZ(tiH@onn8?Wm1)qK>2+eSJ2)
z6g<3*8t^eHIns%%LN(jD0&h^?giG*M65(^)f))52d1Ph0JO`^Vj2)<*pFthXRn*4%
z^NGKbYmf%*{2A)^Aiyg0VlgV&)*$(0n^9-qj>_gQQK9Wc?dWUNI2TY8^kF&vf@PS`
zZnVG;Q1i4F5PyaC2o0s!i(1eC5(ImK%IZ{RE5;lgIeTX%Y5{9e3#djdpdR%(#$0<F
z>d3x8&36=)GpCCvXu?aViGD<#)qT_oAEE}z@jABz&yKHah&FngYg$@9ZfdSe%ozP?
z%G8?ww0Y4MudylS#WqH~=IDlvF|VmHk~oky7)X9)&fLyzS?4Fkyt>H97!hye-Dpd!
hxh58gHz!`pemhvOGU7Eb!2k5=><P_G><A4e{|y#=-aY^T

delta 1966
zcmYM!ZD^KN7zgk(XY+k?&eE1`%WS$x2Q!(J%#ct>A(dVbBf=mu=tD+@)mVxVMQ9>n
zS|XX$7Y%J8rIz#}k-bQtG%6|59F>(xzVxZzUvFqU&;2{+JokOhbzSG&+jh%9Pv5aI
zgI_NG9`~K#`(<r<|NlKbq?9Xld)dW}Z08}?@H88EhCZcss4quwI2%~cW{zM7M{@=*
zE2Xc@)o3!XfC=C}*0GmkxrSr7iG#U=K4rH{?%&Hyc!XJKpz5DvqyErg7Z)ncG*sG{
z`8qhv`eoL|Mk#Zdg%`4wcUR+2@CyA^9K}~Sk#Dk@pEJ)L=VboI1llD1WIUd!#3Yvv
zb}|)P!ba<t<r=y1sSNNrDoxqMWVV$fxr-_B2TTSBtMQ}EeJ7ZToTX1`GHK>*amn-7
zGh5lsRCW>j68Qrf*YIJ!!F9}*O!rhKn#bI?nB%#G<G6yE@CBw4+u6ng)%cGb(Epcn
z__Ojo#&-LZ=U=N=|8|Xc4P3|Xm<(#vCwtYxWHy-zXeLvE1)Rh?*v6IB@0)3@@-`Fj
zKDO{<rlLPpo}^tWryA5hjdKQOvBqjQv4@FpC36<mGkd?AQ+a@?%qgZK=a~f>?cdcL
z$ILr}31l{NCgxVor%zef=b9UqF_|rAGJS+u;8`Z4mzdMNg_(FqHNJ;AjGt8Fzi_?x
z@-HUv)h4@v+nCB8<{<vgoT0uyHL~y^Cn64~p)!V&D(%&HH!s(p&1}t`?Bu;nMb<LU
z?`JCVDf9dfOy++u6+FYqtTCAw`$~sKCcfDvui2tYKa>ZVl0Hf2u{^^ZvKOoVTTF%e
znF@Z$RN^30p#f&^|7HSdG<hm9k-6`7Hst+Zp^;2hGyl2XVKUgmOmvvj`7KkjQ4WU4
zOB-`v7jstTyCjhN>DKZPlkqC1GV3UovauT9$&2s*K8-~96_e>PX0LyxPr2ZdL)B=t
z^gEf~=dqi2aTV8A<D<Qk&U0yH7Vc!;mTtE39%jB?_T^B#s*zH?S9yeo^w08Eex&Zb
zth?&c7Odek{jF^0*G$I$Fk3Rxq)BKTbC#wsm6*jTyp4J8(FyABnX=h{b5Zs%d;SG;
zdcR>xdYZ}PJTp<k&jR(F!&dfi8FNNnXBOJeRP+S9c$x`ll5FKxX13V>oaV&_rgAB>
z=g(JeU;@~}1hAb6U<dPB?ybf@W47inv*1bQtejyMtdmXFX=b+WS|-4*VH%leY3qi~
mLw5Bq8Tv$B|AqSR2iH!YcH@SlP4D;b96NtVf6s*Dwf_MXZ?!G}

diff --git a/budget/translations/fr/LC_MESSAGES/messages.po b/budget/translations/fr/LC_MESSAGES/messages.po
index 8bf347ab..609846ff 100644
--- a/budget/translations/fr/LC_MESSAGES/messages.po
+++ b/budget/translations/fr/LC_MESSAGES/messages.po
@@ -41,6 +41,10 @@ msgstr "Email"
 msgid "Project identifier"
 msgstr "Identifiant du projet"
 
+#: forms.py:87
+msgid "Admin password"
+msgstr "Mot de passe administrateur"
+
 #: forms.py:87 templates/send_invites.html:5
 msgid "Create the project"
 msgstr "Créer le projet"
@@ -158,6 +162,10 @@ msgstr "remboursements"
 msgid "Export file format"
 msgstr "Format du fichier d'export"
 
+#: web.py:95
+msgid "This admin password is not the right one"
+msgstr "Le mot de passe administrateur que vous avez entré n'est pas correct"
+
 #: web.py:95
 msgid "This private code is not the right one"
 msgstr "Le code que vous avez entré n'est pas correct"
diff --git a/budget/web.py b/budget/web.py
index efb427cb..3bfa73a1 100644
--- a/budget/web.py
+++ b/budget/web.py
@@ -16,11 +16,12 @@ from flask_babel import get_locale, gettext as _
 from smtplib import SMTPRecipientsRefused
 import werkzeug
 from sqlalchemy import orm
+from functools import wraps
 
 # local modules
 from models import db, Project, Person, Bill
-from forms import AuthenticationForm, EditProjectForm, InviteForm, \
-    MemberForm, PasswordReminder, ProjectForm, get_billform_for, \
+from forms import AdminAuthenticationForm, AuthenticationForm, EditProjectForm, \
+    InviteForm, MemberForm, PasswordReminder, ProjectForm, get_billform_for, \
     ExportForm
 from utils import Redirect303, list_of_dicts2json, list_of_dicts2csv
 
@@ -28,6 +29,19 @@ main = Blueprint("main", __name__)
 mail = Mail()
 
 
+def requires_admin(f):
+    """Require admin permissions for @requires_admin decorated endpoints.
+       Has no effect if ADMIN_PASSWORD is empty (default value)
+    """
+    @wraps(f)
+    def admin_auth(*args, **kws):
+        admin_password = session.get('admin_password', '')
+        if not admin_password == current_app.config['ADMIN_PASSWORD']:
+            raise Redirect303(url_for('.admin', goto=request.path))
+        return f(*args, **kws)
+    return admin_auth
+
+
 @main.url_defaults
 def add_project_id(endpoint, values):
     """Add the project id to the url calls if it is expected.
@@ -66,6 +80,23 @@ def pull_project(endpoint, values):
                     url_for(".authenticate", project_id=project_id))
 
 
+@main.route("/admin", methods=["GET", "POST"])
+def admin():
+    """Admin authentication"""
+    form = AdminAuthenticationForm()
+    goto = request.args.get('goto', url_for('.home'))
+    if request.method == "POST":
+        if form.validate():
+            if form.admin_password.data == current_app.config['ADMIN_PASSWORD']:
+                session['admin_password'] = form.admin_password.data
+                session.update()
+                return redirect(goto)
+            else:
+                msg = _("This admin password is not the right one")
+                form.errors['admin_password'] = [msg]
+    return render_template("authenticate.html", form=form, admin_auth=True)
+
+
 @main.route("/authenticate", methods=["GET", "POST"])
 def authenticate(project_id=None):
     """Authentication form"""
@@ -121,14 +152,18 @@ def authenticate(project_id=None):
 def home():
     project_form = ProjectForm()
     auth_form = AuthenticationForm()
+    # If ADMIN_PASSWORD is empty we consider that admin mode is disabled
+    is_admin_mode_enabled = bool(current_app.config['ADMIN_PASSWORD'])
     is_demo_project_activated = current_app.config['ACTIVATE_DEMO_PROJECT']
 
     return render_template("home.html", project_form=project_form,
                            is_demo_project_activated=is_demo_project_activated,
+                           is_admin_mode_enabled=is_admin_mode_enabled,
                            auth_form=auth_form, session=session)
 
 
 @main.route("/create", methods=["GET", "POST"])
+@requires_admin
 def create_project():
     form = ProjectForm()
     if request.method == "GET" and 'project_id' in request.values: