Admin import_index and import_from_csv urls are accessible by users not having sufficient permissions for logging in to wagtail admin [Security Issue]

[soroosh-dev]

Url patterns import_index and import_from_csv that are defined in admin_urls.py point to View functions that are decorated using Django's login_required decorator. Using this decorator denies access to these URLs by unauthenticated users however it does not check the user's permission. This bug allows an authenticated user with insufficient permissions to log into the Wagtail admin import pages from CSV files.

Steps to reproduce

Steps to reproduce the behavior:

1. Create a user without "wagtailadmin" permission (which is the required permission to log into the Wagtail admin. You can use django-admin at HTTP://127.0.0.1:8000/django-admin/ and log in with superuser to create a simple user on a simple coderedcms project created with coderedcms start mysite.
2. Logout.
3. Go to http://127.0.0.1:8000/admin/ or your website's Wagtail admin and enter the username and password for the user you just created.
4. As you see this user can't log into the Wagtail admin due to not having wagtailadmin permission.
5. Go to http://127.0.0.1:8000/admin/codered/import-export/ You can import a CSV file to import pages into your website but with this user, you should not be able to do so.

Expected behavior

Like any other page in the Wagtail admin area, you should not be able to see these pages without sufficient permissions, instead, you should be redirected to the login page.

[vsalvino]

Thanks for reporting. I think the best solution would be require superuser for these functions.