This is an automated email from the ASF dual-hosted git repository. wave pushed a commit to branch drop-admin-privileges in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
commit 96fd0c3659faf143a461ea4ce9e4a5c59807b383 Author: Dave Fisher <[email protected]> AuthorDate: Fri Feb 27 12:41:50 2026 -0800 Drop admin privileges --- atr/admin/templates/toggle-admin-view.html | 9 +++------ atr/user.py | 5 +++++ atr/util.py | 17 +++++++++-------- 3 files changed, 17 insertions(+), 14 deletions(-) diff --git a/atr/admin/templates/toggle-admin-view.html b/atr/admin/templates/toggle-admin-view.html index 6d2b594f..3cd4face 100644 --- a/atr/admin/templates/toggle-admin-view.html +++ b/atr/admin/templates/toggle-admin-view.html @@ -8,8 +8,9 @@ <h1>Toggle admin view</h1> <p class="mb-4"> - Use this page to switch between viewing the site as an administrator or as a regular user. - This is helpful for testing permissions and user experience from different perspectives. + Use this page to drop your administrator permissions in this session viewing with normal user permissions. + This is helpful for testing permissions and user experience from different perspectives. You will need log out + and log in to restore your administrator privileges. </p> {% if current_user and is_admin_fn(current_user.uid) %} @@ -26,9 +27,5 @@ </strong> </div> - {% else %} - <div class="alert alert-warning" role="alert"> - This function is only available to administrators. - </div> {% endif %} {% endblock content %} diff --git a/atr/user.py b/atr/user.py index e57e6788..f143769e 100644 --- a/atr/user.py +++ b/atr/user.py @@ -23,6 +23,7 @@ import atr.cache as cache import atr.config as config import atr.db as db import atr.models.sql as sql +import atr.util as util async def candidate_drafts(uid: str, user_projects: list[sql.Project] | None = None) -> list[sql.Release]: @@ -43,6 +44,8 @@ def is_admin(user_id: str | None) -> bool: return False if config.get().ALLOW_TESTS and (user_id == "test"): return True + if util.is_user_session_downgraded(): + return False if user_id in _get_additional_admin_users(): return True return user_id in cache.admins_get() @@ -53,6 +56,8 @@ async def is_admin_async(user_id: str | None) -> bool: return False if config.get().ALLOW_TESTS and (user_id == "test"): return True + if util.is_user_session_downgraded(): + return False if user_id in _get_additional_admin_users(): return True return user_id in await cache.admins_get_async() diff --git a/atr/util.py b/atr/util.py index 0b774684..4c6ff5d7 100644 --- a/atr/util.py +++ b/atr/util.py @@ -618,11 +618,8 @@ def is_ldap_configured() -> bool: return ldap.get_bind_credentials() is not None -def is_user_viewing_as_admin(uid: str | None) -> bool: - """Check whether a user is currently viewing the site with active admin privileges.""" - if not user.is_admin(uid): - return False - +def is_user_session_downgraded() -> bool: + """Check whether a user session is downgraded from active admin privileges.""" try: app = asfquart.APP if (not hasattr(app, "app_id")) or (not isinstance(app.app_id, str)): @@ -631,13 +628,17 @@ def is_user_viewing_as_admin(uid: str | None) -> bool: cookie_id = app.app_id session_dict = quart.session.get(cookie_id, {}) - is_downgraded = session_dict.get("downgrade_admin_to_user", False) - return not is_downgraded + return session_dict.get("downgrade_admin_to_user", False) except Exception: - log.exception(f"Error checking admin downgrade session status for {uid}") + log.exception("Error checking admin downgrade session status") return False +def is_user_viewing_as_admin(uid: str | None) -> bool: + """Check whether a user is currently viewing the site with active admin privileges.""" + return user.is_admin(uid) + + def json_for_script_element(value: Any) -> markupsafe.Markup: """Serialise JSON safely for use inside a script element.""" return jinja2.utils.htmlsafe_json_dumps(value, dumps=json.dumps, ensure_ascii=False) --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
