From e71f30ab502b7e0e54903ed5f3a0cd75fce4feca Mon Sep 17 00:00:00 2001
From: Spencer Krum <skrum@go2uti.com>
Date: Thu, 29 Aug 2013 12:10:51 -0700
Subject: [PATCH] Add flag to enable or disable the query page

Puppetboard is an excelent radiator of information, but sometimes
we want to expose information to users we don't trust giving full
access to the PuppetDB query language.

I would reccomend that Puppetboard be run twice. One, with query
enabled, run on a port behind apache login. Another, with query
disabled, run unproxied for the unwashed masses.

Closes #10.
---
 puppetboard/app.py              | 20 ++++++++++++++------
 puppetboard/default_settings.py |  1 +
 puppetboard/templates/403.html  | 11 +++++++++++
 3 files changed, 26 insertions(+), 6 deletions(-)
 create mode 100644 puppetboard/templates/403.html

diff --git a/puppetboard/app.py b/puppetboard/app.py
index f4efe09..618a639 100644
--- a/puppetboard/app.py
+++ b/puppetboard/app.py
@@ -51,6 +51,10 @@ def stream_template(template_name, **context):
 def bad_request(e):
     return render_template('400.html'), 400
 
+@app.errorhandler(403)
+def bad_request(e):
+    return render_template('403.html'), 400
+
 @app.errorhandler(404)
 def not_found(e):
     return render_template('404.html'), 404
@@ -191,12 +195,16 @@ def query():
     of the possible exceptions are being handled just yet. This will return
     the JSON of the response or a message telling you what whent wrong /
     why nothing was returned."""
-    form = QueryForm()
-    if form.validate_on_submit():
-        result = get_or_abort(puppetdb._query, form.endpoints.data,
-                query='[{0}]'.format(form.query.data))
-        return render_template('query.html', form=form, result=result)
-    return render_template('query.html', form=form)
+    if app.config['ENABLE_QUERY']:
+      form = QueryForm()
+      if form.validate_on_submit():
+          result = get_or_abort(puppetdb._query, form.endpoints.data,
+                  query='[{0}]'.format(form.query.data))
+          return render_template('query.html', form=form, result=result)
+      return render_template('query.html', form=form)
+    else:
+        log.warn('Access to query interface disabled by administrator..')
+        abort(403)
 
 @app.route('/metrics')
 def metrics():
diff --git a/puppetboard/default_settings.py b/puppetboard/default_settings.py
index 292a6ac..d9dd533 100644
--- a/puppetboard/default_settings.py
+++ b/puppetboard/default_settings.py
@@ -7,4 +7,5 @@ PUPPETDB_TIMEOUT=20
 PUPPETDB_API=3
 DEV_LISTEN_HOST='127.0.0.1'
 DEV_LISTEN_PORT=5000
+ENABLE_QUERY=True
 LOGLEVEL='info'
diff --git a/puppetboard/templates/403.html b/puppetboard/templates/403.html
new file mode 100644
index 0000000..bfe77d0
--- /dev/null
+++ b/puppetboard/templates/403.html
@@ -0,0 +1,11 @@
+{% extends 'layout.html' %}
+{% block row_fluid %}
+<div class="container" style="margin-bottom:55px;">
+  <div class="row">
+    <div class="span12">
+      <h2>Permission Denied</h2>
+      <p>What you were looking for has been disabled by the administrator.</p>
+    </div>
+  </div>
+</div>
+{% endblock %}