Fix for CRUD vulnerability on certain admin routes

* Re #9
* Thanks @Chiggins

cdw/views_crud.py

@@ -2,6 +2,7 @@
     :copyright: (c) 2011 Local Projects, all rights reserved
     :license: Affero GNU GPL v3, see LEGAL/LICENSE for more details.
 """
+from cdw import admin_required
 from cdw.forms import QuestionForm, ThreadCrudForm, PostCrudForm
 from cdw.models import Question, Post
 from cdw.services import cdw, connection_service
@@ -12,6 +13,7 @@
 
 # Questions
 @blueprint.route("/questions", methods=['POST'])
+@admin_required
 def question_create():
     form = QuestionForm(csrf_enabled=False)
     form.category.choices = [(str(c.id), c.name) for c in cdw.categories.all()]
@@ -23,6 +25,7 @@ def question_create():
     return redirect('/admin/debates/questions')
 
 @blueprint.route("/questions/<question_id>", methods=['PUT'])
+@admin_required
 def question_update(question_id):
     question = cdw.questions.with_id(question_id)
     form = QuestionForm(csrf_enabled=False)
@@ -36,6 +39,7 @@ def question_update(question_id):
     return redirect('/admin/debates/questions/%s' % str(question.id))
 
 @blueprint.route("/questions/<question_id>", methods=['DELETE'])
+@admin_required
 def question_delete(question_id):
     question = cdw.questions.with_id(question_id)
     threads = cdw.threads.with_fields(question=question)
@@ -49,6 +53,7 @@ def question_delete(question_id):
     return redirect("/admin/debates/questions")
 
 @blueprint.route("/questions/<question_id>/unarchive", methods=['GET','POST'])
+@admin_required
 def question_unarchive(question_id):
     question = cdw.questions.with_id(question_id)
     question.archived = False
@@ -59,6 +64,7 @@ def question_unarchive(question_id):
 
 # Threads
 @blueprint.route("/threads", methods=['POST'])
+@admin_required
 def thread_create():
     thread_form = ThreadCrudForm(csrf_enabled=False)
     current_app.logger.debug(thread_form.question_id.data)
@@ -87,10 +93,12 @@ def thread_show(thread_id):
     pass
 
 @blueprint.route("/threads/<thread_id>", methods=['PUT'])
+@admin_required
 def thread_update(thread_id):
     pass
 
 @blueprint.route("/threads/<thread_id>", methods=['DELETE'])
+@admin_required
 def thread_delete(thread_id):
     thread = cdw.threads.with_id(thread_id)
     """
@@ -117,6 +125,7 @@ def thread_delete(thread_id):
 # Users
 """
 @blueprint.route("/users", methods=['POST'])
+@admin_required
 def user_create():
     pass
 
@@ -125,6 +134,7 @@ def user_show(user_id):
     pass
 
 @blueprint.route("/users/<user_id>", methods=['PUT'])
+@admin_required
 def user_update(user_id):
     pass
 """
@@ -158,6 +168,7 @@ def user_delete(user_id):
 
 # Posts
 @blueprint.route("/posts", methods=['POST'])
+@admin_required
 def post_create():
     post_form = PostCrudForm(csrf_enabled=False)
 
@@ -177,11 +188,13 @@ def post_show(post_id):
     pass
 
 @blueprint.route("/posts/<post_id>", methods=['PUT'])
+@admin_required
 def post_update(post_id):
     pass
 """
 
 @blueprint.route("/posts/<post_id>", methods=['DELETE'])
+@admin_required
 def post_delete(post_id):
     post = cdw.posts.with_id(post_id)
     current_app.logger.debug('Deleting post: %s' % post)
@@ -206,6 +219,7 @@ def post_like(post_id):
     return redirect(request.referrer)
 
 @blueprint.route("/posts/<post_id>/unflag", methods=['POST'])
+@admin_required
 def post_reset_flags(post_id):
     post = cdw.posts.with_id(post_id)
     post.flags = 0
@@ -214,13 +228,15 @@ def post_reset_flags(post_id):
     return redirect(request.referrer)
 
 @blueprint.route("/suggestions/<question_id>", methods=['DELETE'])
+@admin_required
 def suggestion_delete(question_id):
     question = cdw.suggestions.with_id(question_id)
     question.delete()
     flash("Question deleted successfully", "info")
     return redirect("/admin/debates/suggestions")
 
 @blueprint.route("/suggestions/<question_id>/approve", methods=['POST'])
+@admin_required
 def suggestion_approve(question_id):
     question = cdw.suggestions.with_id(question_id)
     new_question = Question(