Restrict user search/import to cf admins

mhagander · mhagander · commit fb632f22912f · 2023-02-21T15:19:01.000+01:00
All users can still enumerate local users, but the functionality to
search the central database is restricted to admins only.

Reported by Benjamin Flesch
diff --git a/pgcommitfest/commitfest/ajax.py b/pgcommitfest/commitfest/ajax.py
@@ -223,13 +223,19 @@ def detachThread(request):
 
 
 def searchUsers(request):
+    if not request.user.is_staff:
+        return []
+
     if request.GET.get('s', ''):
         return user_search(request.GET['s'])
     else:
         return []
 
 
 def importUser(request):
+    if not request.user.is_staff:
+        raise Http404()
+
     if request.GET.get('u', ''):
         u = user_search(userid=request.GET['u'])
         if len(u) != 1:
diff --git a/pgcommitfest/commitfest/templates/base_form.html b/pgcommitfest/commitfest/templates/base_form.html
@@ -40,6 +40,7 @@
 {%include "thread_attach.inc" %}
 {%endif%}
 
+{%if user.is_staff%}
 <div class="modal fade" id="searchUserModal" role="dialog">
   <div class="modal-dialog modal-lg">
     <div class="modal-content">
@@ -66,6 +67,7 @@ <h3>Search user</h3>
     </div>
   </div>
 </div>
+{%endif%}
 {%endblock%}
 
 {%block extrahead%}
@@ -97,6 +99,7 @@ <h3>Search user</h3>
       }
    });
 {%endfor%}
+{%if user.is_staff%}
    $('.selectize-control').after(
       $('<a href="#" class="btn btn-default btn-sm">Import user not listed</a>').click(function () {
           search_and_store_user();
@@ -106,6 +109,7 @@ <h3>Search user</h3>
 $('#searchUserModal').on('shown.bs.modal', function() {
 	  $('#searchUserSearchField').focus();
 });
+{%endif%}
 
 /* Build our button callbacks */
 $(document).ready(function() {
