V podstromu /acct/ se musíme vyrovnat s nepřihlášeným uživatelem

9e01c41b · Martin Mareš · b73e6a93 · 9e01c41b
Commit 9e01c41b authored Jan 9, 2022 by Martin Mareš
--- a/mo/web/acct.py
+++ b/mo/web/acct.py
@@ -23,6 +23,8 @@ import mo.util
 from mo.web import app, NeedLoginError
 import mo.web.fields as mo_fields

+# POZOR: V podstromu /acct/ není vyžadován login
+

 class LoginForm(FlaskForm):
    next = wtforms.HiddenField()
@@ -99,6 +101,8 @@ def logout():

 @app.route('/acct/incarnate/<int:id>', methods=('POST',))
 def incarnate(id):
+    if not g.user:
+        raise NeedLoginError()
    if not g.user.is_admin:
        raise werkzeug.exceptions.Forbidden()

@@ -120,6 +124,8 @@ class AcctSettingsForm(FlaskForm):
 def user_settings():
    sess = db.get_session()
    user = g.user
+    if not user:
+        raise NeedLoginError()

    form = AcctSettingsForm()
    if not form.submit.data:
@@ -167,6 +173,8 @@ class PersonalSettingsForm(FlaskForm):
 def user_settings_personal():
    sess = db.get_session()
    user = g.user
+    if not user:
+        raise NeedLoginError()

    form = PersonalSettingsForm()
    if not form.submit.data: