Use normal user authentication to control access to /admin

 - Adds is_superuser flag to User
 - Logged-in user must be a superuser or have from_body set in order to access
   anything within /admin
 - has_permission_to on a superuser will always return true
 - Only superusers can create/grant superusers
 - New `createsuperuser` command for creating superusers

2 files changed, 34 insertions, 0 deletions

diff --git a/bin/createsuperuser b/bin/createsuperuser
new file mode 100755
index 000000000..98b36aa36
--- /dev/null
+++ b/bin/createsuperuser
@@ -0,0 +1,33 @@
+#!/usr/bin/env perl
+
+# createsuperuser:
+# Create superusers or grant is_superuser flag to existing users.
+#
+# Usage:
+#
+# Create a new superuser with password 'password123'
+# $ bin/createsuperuser user1@example.org password123
+#
+# Grant superuser status to an existing user:
+# $ bin/createsuperuser user2@example.org
+#
+# Superusers can create superusers and grant/rescind superuser status via /admin
+#
+# Copyright (c) 2016 UK Citizens Online Democracy. All rights reserved.
+# Email: davea@mysociety.org. WWW: http://www.mysociety.org
+
+use strict;
+use warnings;
+
+BEGIN {
+    use File::Basename qw(dirname);
+    use File::Spec;
+    my $d = dirname(File::Spec->rel2abs($0));
+    require "$d/../setenv.pl";
+}
+
+
+use FixMyStreet;
+use FixMyStreet::Script::CreateSuperuser;
+
+FixMyStreet::Script::CreateSuperuser::createsuperuser();
diff --git a/bin/update-schema b/bin/update-schema
index 1393178f8..8f74f34f1 100755
--- a/bin/update-schema
+++ b/bin/update-schema
@@ -194,6 +194,7 @@ else {
 # By querying the database schema, we can see where we're currently at
 # (assuming schema change files are never half-applied, which should be the case)
 sub get_db_version {
+    return '0040' if column_exists('users', 'is_superuser');
     return '0039' if column_exists('users', 'facebook_id');
     return '0038' if column_exists('admin_log', 'time_spent');
     return '0037' if table_exists('response_templates');