Prevent XSS attacks with wmd using the google-caja html sanitizer.

[osqa.git] / forum / views / admin.py

diff --git a/forum/views/admin.py b/forum/views/admin.py
index 67047ba9c36f301131712b2c7cefc53f1a4e10c8..da9dc67cdc326bd4b7124b84d76657f60fdbdd27 100644 (file)
--- a/forum/views/admin.py
+++ b/forum/views/admin.py
@@ -1,6 +1,7 @@
 from datetime import datetime, timedelta
 import time
 
+from django.views.decorators.csrf import csrf_exempt
 from django.shortcuts import render_to_response, get_object_or_404
 from django.core.urlresolvers import reverse
 from django.http import HttpResponseRedirect, HttpResponse, Http404
@@ -56,6 +57,10 @@ def admin_page_wrapper(fn, request, *args, **kwargs):
 
     context['tools'] = [(name, fn.label) for name, fn in TOOLS.items()]
 
+    # Show the navigation only to moderators and super users
+    if not context.has_key("hide_navigation"):
+        context['hide_navigation'] = not request.user.is_superuser
+
     unsaved = request.session.get('previewing_settings', {})
     context['unsaved'] = set([getattr(settings, s).set.name for s in unsaved.keys() if hasattr(settings, s)])
 
@@ -571,9 +576,10 @@ def node_management(request):
     'state_types': state_types,
     'authors': authors,
     'tags': tags,
-    'hide_menu': True
+    'hide_navigation': True
     }))
 
+@csrf_exempt
 @super_user_required
 def test_email_settings(request):
     user = request.user