fixes 169: ability to grant super cow powers to users

angular_app/js/app.js

@@ -75,16 +75,19 @@ eventManApp.run(['$rootScope', '$state', '$stateParams', '$log', 'Info',
             }
         };
 
-        /* Check GUI privileges. */
+        /* Check privileges of the currently logged in user or of the one specified with the second parameter. */
-        $rootScope.hasPermission = function(permission) {
+        $rootScope.hasPermission = function(permission, user) {
-            if (!($rootScope.info && $rootScope.info.user && $rootScope.info.user.permissions)) {
+            if (!(user || ($rootScope.info && $rootScope.info.user && $rootScope.info.user.permissions))) {
                 return false;
             }
+            if (!user) {
+                user = $rootScope.info.user;
+            }
             var granted = false;
             var splitted_permission = permission.split('|');
             var global_permission = splitted_permission[0] + '|all';
 
-            angular.forEach($rootScope.info.user.permissions || [],
+            angular.forEach(user.permissions || [],
                     function(value, idx) {
                         if (value === 'admin|all' || value === global_permission || value === permission) {
                             granted = true;

angular_app/js/controllers.js

@@ -687,6 +687,7 @@ eventManControllers.controller('UsersCtrl', ['$scope', '$rootScope', '$state', '
         if ($state.is('user.edit') && $state.params.id) {
             $scope.user = User.get({id: $state.params.id}, function() {
                 $scope.updateUserInfo = $scope.user;
+                $scope.updateUserInfo.isAdmin = $rootScope.hasPermission('admin|all', $scope.updateUserInfo);
             });
         }
 

angular_app/user-edit.html

@@ -20,6 +20,11 @@
                     <span class="input-group-addon min150">{{'New password' | translate}}</span>
                     <input type="password" id="new-password" name="new-password" ng-model="updateUserInfo.new_password" class="form-control">
                 </div>
+                <div class="checkbox">
+                    <label>
+                        <input type="checkbox" ng-model="updateUserInfo.isAdmin"> Check me out
+                    </label>
+                </div>
                 <button type="submit" ng-click="updateUser()" class="btn btn-success top10">{{'update' | translate}}</button>
             </form>
         </div>

eventman_server.py

@@ -909,9 +909,18 @@ class UsersHandler(CollectionHandler):
             del data['_id']
         if 'username' in data:
             del data['username']
-        # for the moment, prevent the ability to update permissions via web
+        if not self.has_permission('admin|all'):
-        if 'permissions' in data:
+            if 'permissions' in data:
-            del data['permissions']
+                del data['permissions']
+        else:
+            if 'isAdmin' in data:
+                if not 'permissions' in data:
+                    data['permissions'] = []
+                if 'admin|all' in data['permissions'] and not data['isAdmin']:
+                    data['permissions'].remove('admin|all')
+                elif 'admin|all' not in data['permissions'] and data['isAdmin']:
+                    data['permissions'].append('admin|all')
+                del data['isAdmin']
         return data
 
     @gen.coroutine
@@ -1197,7 +1206,7 @@ def run():
     ws_application = tornado.web.Application([_ws_handler], debug=options.debug)
     ws_http_server = tornado.httpserver.HTTPServer(ws_application)
     ws_http_server.listen(options.port+1, address='127.0.0.1')
-    logger.debug('Starting WebSocket on %s://127.0.0.1:%d', 'wss' if ssl_options else 'ws', options.port+1)
+    logger.debug('Starting WebSocket on ws://127.0.0.1:%d', options.port+1)
     tornado.ioloop.IOLoop.instance().start()