diff --git a/files/helpers/const.py b/files/helpers/const.py index 64cddcfa3..76fece81d 100644 --- a/files/helpers/const.py +++ b/files/helpers/const.py @@ -155,6 +155,11 @@ PERMS = { # Minimum admin_level to perform action. 'ADMIN_REMOVE': 3, 'ADMIN_ADD_PERM_LEVEL': 2, # permission level given when user added via site 'ADMIN_ACTIONS_REVERT': 3, + 'SITE_SETTINGS': 3, + 'SITE_SETTINGS_UNDER_ATTACK': 3, + 'CACHE_PURGE_CDN': 3, + 'CACHE_DUMP_INTERNAL': 2, + 'DOMAINS_BAN': 3, } FEATURES = { diff --git a/files/routes/admin.py b/files/routes/admin.py index 42c7bead9..637b29a39 100644 --- a/files/routes/admin.py +++ b/files/routes/admin.py @@ -450,7 +450,7 @@ def admin_git_head(): return gitref @app.post("/admin/site_settings/") -@admin_level_required(3) +@admin_level_required(PERMS['SITE_SETTINGS']) def change_settings(v, setting): site_settings = app.config['SETTINGS'] site_settings[setting] = not site_settings[setting] @@ -471,7 +471,7 @@ def change_settings(v, setting): @app.post("/admin/purge_cache") -@admin_level_required(3) +@admin_level_required(PERMS['CACHE_PURGE_CDN']) def purge_cache(v): online = cache.get(ONLINE_STR) cache.clear() @@ -490,7 +490,7 @@ def purge_cache(v): @app.post("/admin/under_attack") -@admin_level_required(3) +@admin_level_required(PERMS['SITE_SETTINGS_UNDER_ATTACK']) def under_attack(v): response = requests.get(f'https://api.cloudflare.com/client/v4/zones/{CF_ZONE}/settings/security_level', headers=CF_HEADERS, timeout=5).json()['result']['value'] @@ -1386,7 +1386,7 @@ def admin_distinguish_comment(c_id, v): else: return {"message": "Comment undistinguished!"} @app.get("/admin/dump_cache") -@admin_level_required(2) +@admin_level_required(PERMS['CACHE_DUMP_INTERNAL']) def admin_dump_cache(v): online = cache.get(ONLINE_STR) cache.clear() @@ -1402,7 +1402,7 @@ def admin_dump_cache(v): @app.get("/admin/banned_domains/") -@admin_level_required(3) +@admin_level_required(PERMS['DOMAINS_BAN']) def admin_banned_domains(v): banned_domains = g.db.query(BannedDomain).all() @@ -1410,7 +1410,7 @@ def admin_banned_domains(v): @app.post("/admin/banned_domains") @limiter.limit("1/second;30/minute;200/hour;1000/day") -@admin_level_required(3) +@admin_level_required(PERMS['DOMAINS_BAN']) def admin_toggle_ban_domain(v): domain=request.values.get("domain", "").strip()