Merge pull request #321 from aiarena/fix_staff_bot_files_access

Require superuser status for bot file downloads and admin links view.
aiarena · Nov 30, 2021 · ca19a16 · ca19a16
2 parents f570f39 + 2e332e3
commit ca19a16
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 3 deletions.
diff --git a/aiarena/frontend/static/style.css b/aiarena/frontend/static/style.css
@@ -1464,4 +1464,8 @@ input[type=text], input[type=password], input[type=email], input[type=number], i
   width: 84.5%;
   overflow: hidden;
   transition: max-height 0.2s ease-out
+}
+
+.private-download-warning {
+  background-color: rgba(255, 0, 0, 0.6);
 }
diff --git a/aiarena/frontend/templates/base.html b/aiarena/frontend/templates/base.html
@@ -120,7 +120,7 @@ <h3>user</h3>
                     </ul>
                 </li>
 
-                {% if user.is_staff %}
+                {% if user.is_superuser %}
                     <li>
                         <div id="sidebar-header">
                             <em class="material-icons">bug_report</em>

diff --git a/aiarena/frontend/templates/bot.html b/aiarena/frontend/templates/bot.html
@@ -41,8 +41,14 @@
                 </tr>
                 <tr>
                     <td><strong>Bot Zip</strong></td>
+                    {# Highlight red to warn super users if it's not a public download #}
+                    {% if request.user.is_superuser and not request.user == bot.user and not bot.bot_zip_publicly_downloadable %}
+                    <td class="private-download-warning">
+                    Warning: Private download!
+                    {% else %}
                     <td>
-                        {% if request.user == bot.user or bot.bot_zip_publicly_downloadable or request.user.is_staff %}
+                    {% endif %}
+                        {% if request.user == bot.user or bot.bot_zip_publicly_downloadable or request.user.is_superuser %}
                             <a href="{{ bot.bot_zip.url }}">Download</a>
                         {% else %}
                             --
@@ -51,9 +57,15 @@
                 </tr>
                 <tr>
                     <td><strong>Bot data</strong></td>
+                    {# Highlight red to warn super users if it's not a public download #}
+                    {% if request.user.is_superuser and not request.user == bot.user and not bot.bot_data_publicly_downloadable %}
+                    <td class="private-download-warning">
+                    Warning: Private download!
+                    {% else %}
                     <td>
+                    {% endif %}
                         {% if bot.bot_data %} {# Done with two if statements because templates don't allow parentheses #}
-                            {% if request.user == bot.user or bot.bot_data_publicly_downloadable or request.user.is_staff %}
+                            {% if request.user == bot.user or bot.bot_data_publicly_downloadable or request.user.is_superuser %}
                                 <a href="{{ bot.bot_data.url }}">Download</a>
                             {% else %}
                                 --