From 9f5a48f97f33bfd90f6ee201d1758277ffaa7360 Mon Sep 17 00:00:00 2001
From: Neil Williams <neil@reddit.com>
Date: Tue, 19 Nov 2013 16:57:12 -0800
Subject: [PATCH] Don't allow non-admins to even generate admin cookies.

They weren't usable due to the checks in reddit_base, but it's safer to
not even generate 'em.

Thanks to /u/largenocream for reporting this.
---
 r2/r2/controllers/api.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/r2/r2/controllers/api.py b/r2/r2/controllers/api.py
index 48dca04d2..12fd8602e 100755
--- a/r2/r2/controllers/api.py
+++ b/r2/r2/controllers/api.py
@@ -3303,6 +3303,9 @@ class ApiController(RedditController, OAuth2ResourceController):
                    remember=VBoolean("remember"),
                    dest=VDestination())
     def POST_adminon(self, form, jquery, remember, dest):
+        if c.user.name not in g.admins:
+            self.abort403()
+
         if form.has_errors('password', errors.WRONG_PASSWORD):
             return