From c69aeb03dcda58e16f4ba55dcfb805cfda8abfe5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sybren=20A=2E=20St=C3=BCvel?= <sybren@stuvel.eu>
Date: Thu, 15 Jun 2017 16:26:17 +0200
Subject: [PATCH] Hide Attract links & project settings for non-attract-users

---
 attract/__init__.py | 7 +++++++
 attract/routes.py   | 3 +++
 2 files changed, 10 insertions(+)

diff --git a/attract/__init__.py b/attract/__init__.py
index 7211e9e..85b1029 100644
--- a/attract/__init__.py
+++ b/attract/__init__.py
@@ -170,9 +170,16 @@ class AttractExtension(PillarExtension):
         if not self.is_attract_project(project):
             return ''
 
+        if not self.auth.current_user_may(auth.Actions.VIEW):
+            return ''
+
         return flask.render_template('attract/sidebar.html',
                                      project=project)
 
+    @property
+    def has_project_settings(self) -> bool:
+        return self.auth.current_user_is_attract_user()
+
     def project_settings(self, project: pillarsdk.Project, **template_args: dict) -> flask.Response:
         """Renders the project settings page for this extension.
 
diff --git a/attract/routes.py b/attract/routes.py
index 346fc94..9c2233c 100644
--- a/attract/routes.py
+++ b/attract/routes.py
@@ -171,6 +171,9 @@ def project_settings(project: pillarsdk.Project, **template_args: dict):
 
     from . import EXTENSION_NAME
 
+    if not current_attract.auth.current_user_is_attract_user():
+        raise wz_exceptions.Forbidden()
+
     # Based on the project state, we can render a different template.
     if not current_attract.is_attract_project(project):
         return render_template('attract/project_settings/offer_setup.html',