diff --git a/puppetboard/app.py b/puppetboard/app.py index f4efe09..618a639 100644 --- a/puppetboard/app.py +++ b/puppetboard/app.py @@ -51,6 +51,10 @@ def stream_template(template_name, **context): def bad_request(e): return render_template('400.html'), 400 +@app.errorhandler(403) +def bad_request(e): + return render_template('403.html'), 400 + @app.errorhandler(404) def not_found(e): return render_template('404.html'), 404 @@ -191,12 +195,16 @@ def query(): of the possible exceptions are being handled just yet. This will return the JSON of the response or a message telling you what whent wrong / why nothing was returned.""" - form = QueryForm() - if form.validate_on_submit(): - result = get_or_abort(puppetdb._query, form.endpoints.data, - query='[{0}]'.format(form.query.data)) - return render_template('query.html', form=form, result=result) - return render_template('query.html', form=form) + if app.config['ENABLE_QUERY']: + form = QueryForm() + if form.validate_on_submit(): + result = get_or_abort(puppetdb._query, form.endpoints.data, + query='[{0}]'.format(form.query.data)) + return render_template('query.html', form=form, result=result) + return render_template('query.html', form=form) + else: + log.warn('Access to query interface disabled by administrator..') + abort(403) @app.route('/metrics') def metrics(): diff --git a/puppetboard/default_settings.py b/puppetboard/default_settings.py index 292a6ac..d9dd533 100644 --- a/puppetboard/default_settings.py +++ b/puppetboard/default_settings.py @@ -7,4 +7,5 @@ PUPPETDB_TIMEOUT=20 PUPPETDB_API=3 DEV_LISTEN_HOST='127.0.0.1' DEV_LISTEN_PORT=5000 +ENABLE_QUERY=True LOGLEVEL='info' diff --git a/puppetboard/templates/403.html b/puppetboard/templates/403.html new file mode 100644 index 0000000..bfe77d0 --- /dev/null +++ b/puppetboard/templates/403.html @@ -0,0 +1,11 @@ +{% extends 'layout.html' %} +{% block row_fluid %} +
+
+
+

Permission Denied

+

What you were looking for has been disabled by the administrator.

+
+
+
+{% endblock %}