Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restricted the Admin Pages from users #59

Merged
merged 1 commit into from
Feb 3, 2025
Merged

Restricted the Admin Pages from users #59

merged 1 commit into from
Feb 3, 2025

Conversation

mdxabu
Copy link
Collaborator

@mdxabu mdxabu commented Feb 3, 2025

Description of your changes:
This PR introduces a role-based access control (RBAC) mechanism for the app, ensuring that only users with the correct roles (i.e., "admin") are allowed to access certain routes and pages. The changes include the enhancement of the role_required decorator to check the user's role and redirect non-admin users to the 403.html page if they attempt to access admin-specific pages. Additionally, improvements were made to handle cases where the user session might be None, preventing AttributeError exceptions when accessing user data.

Changes:

  • role_required Decorator:

    • The role_required decorator was modified to first check for the google_id in the session. If present, it checks whether the user is an admin via the is_admin function.
    • If the google_id is not in the session, the decorator checks for the regular user session (username) and verifies their role by fetching user data from the database.
    • If the user is found and their role matches the required role, they are allowed to access the page. Otherwise, they are redirected to the 403.html page.

  • Session Handling:

    • Introduced error handling when the get_currentuser_from_session() function returns None (i.e., when no valid user data is found in the session). This prevents errors when accessing attributes like role of a non-existent user.
    • If no valid user or role is found, the app renders the 403.html page to indicate a forbidden access attempt.

  • Improved Admin Access Flow:

    • Admin-specific pages now require the user to have the role admin to be accessed. Non-admin users will be redirected to a 403 page.
    • Admin login functionality with Google OAuth is integrated to ensure that only users with a valid admin email can access the admin panel.

Testing:

  • Verified that only users with the role admin can access admin pages.
  • Checked that non-admin users are redirected to the 403.html page when attempting to access restricted areas.
  • Ensured that when no valid user is found in the session, the app gracefully handles the scenario and prevents errors like AttributeError: 'NoneType' object has no attribute 'get'.

Why this change is necessary:
This update ensures secure access to admin routes, preventing unauthorized users from accessing administrative functionality and resources. It also handles session inconsistencies more gracefully, improving the overall robustness and security of the app.

Checklist:

@mdxabu mdxabu added bug Something isn't working p1 Priority 1 labels Feb 3, 2025
@mdxabu mdxabu requested a review from pradeeban February 3, 2025 10:20
@mdxabu mdxabu self-assigned this Feb 3, 2025
@pradeeban
Copy link
Member

Looks good to me.

@mdxabu mdxabu merged commit c5fdd29 into KathiraveluLab:main Feb 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pradeeban pradeeban Awaiting requested review from pradeeban

Assignees

@mdxabu mdxabu

Labels
bug Something isn't working p1 Priority 1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mdxabu @pradeeban