From: Evan Broder <broder@mit.edu>
Date: Thu, 25 Feb 2010 04:17:27 +0000 (-0500)
Subject: Don't let non-residents create new users.
X-Git-Url: https://asedeno.scripts.mit.edu/gitweb/?a=commitdiff_plain;h=8475eee6839c8249d295d725142ca431fa24624c;hp=4f3b35da3c12251c426f9786f77d4b7aed3e243e;p=bluechips.git

Don't let non-residents create new users.
---

diff --git a/bluechips/controllers/user.py b/bluechips/controllers/user.py
index 8fff3c8..e06a8d9 100644
--- a/bluechips/controllers/user.py
+++ b/bluechips/controllers/user.py
@@ -5,10 +5,13 @@ Calculate the current state of the books
 import logging
 
 from bluechips.lib.base import *
+from bluechips.lib.permissions import BlueChipResident
 
 import sqlalchemy
 from sqlalchemy import orm
 
+from authkit.authorize.pylons_adaptors import authorize
+
 from pylons import request
 from pylons.decorators import validate
 from pylons.decorators.secure import authenticate_form
@@ -70,11 +73,13 @@ class UserController(BaseController):
             h.flash("Updated email address to '%s'." % new_email)
         return h.redirect_to('/')
 
+    @authorize(BlueChipResident())
     def new(self):
         c.title = 'Register a New User'
         return render('/user/new.mako')
 
     @authenticate_form
+    @authorize(BlueChipResident())
     @validate(schema=NewUserSchema(), form='new')
     def create(self):
         u = model.User(username=self.form_result['username'],
diff --git a/bluechips/lib/permissions.py b/bluechips/lib/permissions.py
index 75429ea..2249726 100644
--- a/bluechips/lib/permissions.py
+++ b/bluechips/lib/permissions.py
@@ -20,6 +20,16 @@ class BlueChipUser(RequestPermission):
             raise NotAuthorizedError('You are not allowed access.') # pragma: nocover
         return app(environ, start_response)
 
+class BlueChipResident(RequestPermission):
+    def check(self, app, environ, start_response):
+        if 'user' not in environ:
+            raise NotAuthenticatedError('Not Authenticated')
+
+        if not getattr(environ['user'], 'resident', False):
+            raise NotAuthorizedError('You are not allowed access.')
+
+        return app(environ, start_response)
+
 class DummyAuthenticate(AddDictToEnviron):
     """
     Set the authkit.authenticate environment variable so