From 61545ef91bb64807d0ec5b26d32ba9858fc510a3 Mon Sep 17 00:00:00 2001
From: Rogier Neeleman <rogier@sciuro.org>
Date: Fri, 7 Jul 2017 20:45:44 +0200
Subject: [PATCH] /deletescore was enabled without admin authorisation

---
 nfgame.py | 19 ++++++++-----------
 1 file changed, 8 insertions(+), 11 deletions(-)

diff --git a/nfgame.py b/nfgame.py
index 823da9e..64ca2d5 100644
--- a/nfgame.py
+++ b/nfgame.py
@@ -289,24 +289,21 @@ def tag_found(taghash):
 @app.route('/admin/<string:password>')
 def admin_page(password):
     if password == app.config['ADMIN_PASSWORD']:
+        session['admin'] = 'true'
         return render_template('admin_page.html')
     else:
         return redirect(url_for('index'))
     
 @app.route('/deletescore')
 def delete_score():
-    db = get_db()
-    cur = db.execute("delete from score")
-    db.commit()
+    if 'admin' in session and session['admin'] == 'true':
+        db = get_db()
+        cur = db.execute("delete from score")
+        db.commit()
     
-    return render_template('admin_page.html')
-
-@app.route('/deleteuser')
-def delete_user():
-    session.pop('username', None)
-    session.pop('id', None)
-
-    return render_template('admin_page.html')
+        return render_template('admin_page.html')
+    else:
+        return redirect(url_for('index'))
 
 if __name__ == '__main__':
     app.run(threaded=True)