Edit users page is somewhat visible to non admins

[jpbulman]

While looking at #201 , I visited https://cubingusa.org/admin/edit_users and saw something odd. The edit users admin filter box comes up for me (even though I'm not an admin), but not the table. I duplicated this locally and found that anyone who is a delegate will get this strange formatting, but a person with no permissions (an average competitor) will just get redirected back home. I'll try and poke around, but the permission controlling for edit users does not seem to be in the handler, so if anyone has suggestions or a fix, feel free to chime in.

Not a dangerous issue since the table does not appear, which means delegates can't just edit users freely.

[timreyn]

Hey JP, good catch.

This is configured here: https://github.com/cubingusa/org/blob/master/cubingusa.py#L75 Key is "AllRoles()".

It probably makes sense to set this to the same set of users that can actually edit users -- this is the handler for the async fetch:

org/src/handlers/admin/edit_users.py

Line 32 in b9856a4

return Roles.AdminRoles()

[jpbulman]

Having some annoying git problems, so just ignore the referenced commit right before the pr.

[timreyn]

Addressed in #240.