Require a password to turn admin mode on.

2026-01-26 23:39:11 -05:00 · 2012-03-13 00:41:50 -07:00
parent 975c06bb5d
commit e186b4cd98
5 changed files with 62 additions and 2 deletions
--- a/r2/r2/controllers/api.py
+++ b/r2/r2/controllers/api.py
@@ -2454,3 +2454,13 @@ class ApiController(RedditController):
        wrapped = wrap_links(link)
        wrapped = list(wrapped)[0]
        return websafe(spaceCompress(wrapped.link_child.content()))
+
+    @validatedForm(VUser('password', default=''),
+                   VModhash(),
+                   dest=VDestination())
+    def POST_adminon(self, form, jquery, dest):
+        if form.has_errors('password', errors.WRONG_PASSWORD):
+            return
+
+        self.login(c.user, admin = True, rem = True)
+        form.redirect(dest)
--- a/r2/r2/controllers/front.py
+++ b/r2/r2/controllers/front.py
@@ -1066,8 +1066,9 @@ class FormsController(RedditController):
        #check like this because c.user_is_admin is still false
        if not c.user.name in g.admins:
            return self.abort404()
-        self.login(c.user, admin = True, rem = True)
-        return self.redirect(dest)
+
+        c.deny_frames = True
+        return AdminModeInterstitial(dest=dest).render()

    @validate(VAdmin(),
              dest = VDestination())
--- a/r2/r2/lib/pages/pages.py
+++ b/r2/r2/lib/pages/pages.py
@@ -745,6 +745,22 @@ class RegisterPage(LoginPage):
    def login_template(cls, **kw):
        return Register(**kw)

+class AdminModeInterstitial(BoringPage):
+    def __init__(self, dest, *args, **kwargs):
+        self.dest = dest
+        BoringPage.__init__(self, _("turn admin on"),
+                            show_sidebar=False,
+                            *args, **kwargs)
+
+    def content(self):
+        return PasswordVerificationForm("adminon", dest=self.dest)
+
+class PasswordVerificationForm(Templated):
+    def __init__(self, api, dest):
+        self.api = api
+        self.dest = dest
+        Templated.__init__(self)
+
 class Login(Templated):
    """The two-unit login and register form."""
    def __init__(self, user_reg = '', user_login = '', dest=''):
--- a/r2/r2/public/static/css/reddit.css
+++ b/r2/r2/public/static/css/reddit.css
@@ -5135,3 +5135,8 @@ tr.gold-accent + tr > td {
 .modactions.marknsfw {
    background-image: url(../modactions_marknsfw.png); /* SPRITE */
 }
+
+.adminpasswordform {
+    margin-bottom: .5em;
+    display: inline-block;
+}
--- a/r2/r2/templates/passwordverificationform.html
+++ b/r2/r2/templates/passwordverificationform.html
@@ -0,0 +1,28 @@
+<%
+   from r2.lib.template_helpers import static
+%>
+
+<%namespace name="utils" file="utils.html"/>
+<%namespace file="utils.html" import="error_field"/>
+
+<div class="content over18" style="text-align: center">
+  <img src="${static('over18.png')}" alt="jedberg alien" />
+
+  <h1>let me see your papers</h1>
+
+  <form action="/post/adminon" method="post"
+      onsubmit="return post_form(this, 'adminon')" id="adminon">
+    <div class="spacer">
+      <%utils:round_field title="${_('password')}" description="${_('(required)')}" css_class="adminpasswordform">
+      % if thing.dest:
+          <input type="hidden" name="dest" value="${thing.dest}" />
+      % endif
+      <input type="password" name="password" />
+      ${error_field("WRONG_PASSWORD", "password")}
+      </%utils:round_field>
+
+      <p><button type="submit" class="btn">${_('turn admin on')}</button></p>
+      <p class="status error"></p>
+    </div>
+  </form>
+</div>