Hide Administrative Pages and Data from Unauthorized Users

[Mjacks3]

This includes the assignments button if not signed in, the edit announcements and edit accounts if not admin, and several buttons such as the edit/change mentor form that may or may not have implemented at the time of this write up.

[alexander-bauer]

Importantly, these should definitely be hidden from the web interface if not signed in, but we also need to make sure that we validate on the backend that the signed in user (if any) has the appropriate permissions; that way people can't just submit the POST requests directly.

[alexander-bauer]

This can now be accomplished using @app.login_requireddecorators on some of the functions in views.py, and {% if current_user.is_authenticated %}{% endif %}-style directives in the templates.

@UMBC-CMSC447-Spring2017-Team5/developers Anyone who wants to take this now, can.

[Mjacks3]

@alexander-bauer, Implemented (and I remember to run the check for code standards) but it doesn't seem to hide/restrict the pages I designate. (This has been commented out of edit accounts and announcements but was left in for the account settings view and template. Also used the directives in the theme.html nav bar.) Let me know if the account settings page does restrict anonymous access on your end. I'll revisit this.

[alexander-bauer]

@Mjacks3 The template directive {% if current_user.is_authenticated %} shouldn't be used to hide the whole page. It'll just serve an empty page (which is hard for the user to follow) rather than deny access. Also, one of the things that's probably confusing is that the templates aren't disabled by HTML comments, because the template renderer doesn't understand HTML. You have to comment them out with {# #}-style Jinja comments.

I'm looking at it now, though.

[alexander-bauer]

@Mjacks3 I poked around a little in 1d0c8f8d85e47ca066de039f5990a05d12d88bd1, and this works for me now, so I'm closing this issue. Reopen it if you still see problems.