From ef716f22e51d5336a01b12c42512fac298adb4a2 Mon Sep 17 00:00:00 2001
From: Terrtia <or1994@hotmail.fr>
Date: Wed, 19 Jun 2019 17:02:09 +0200
Subject: [PATCH] chg: [user_management endpoint] check user roles + add 503
 template

---
 var/www/Flask_server.py                       |  9 ++++
 .../modules/PasteSubmit/Flask_PasteSubmit.py  | 15 ++++++
 var/www/modules/Tags/Flask_Tags.py            | 21 +++++++-
 var/www/modules/dashboard/Flask_dashboard.py  |  6 +++
 .../modules/hashDecoded/Flask_hashDecoded.py  | 43 ++++++++++++++++
 .../hiddenServices/Flask_hiddenServices.py    | 27 ++++++++--
 .../modules/rawSkeleton/Flask_rawSkeleton.py  |  3 ++
 var/www/modules/search/Flask_search.py        |  4 ++
 var/www/modules/sentiment/Flask_sentiment.py  |  6 +++
 var/www/modules/settings/Flask_settings.py    | 13 ++++-
 var/www/modules/showpaste/Flask_showpaste.py  | 10 ++++
 var/www/modules/terms/Flask_terms.py          | 15 ++++++
 .../trendingcharts/Flask_trendingcharts.py    |  6 +++
 .../trendingmodules/Flask_trendingmodules.py  |  5 ++
 var/www/templates/error/403.html              | 49 +++++++++++++++++++
 15 files changed, 225 insertions(+), 7 deletions(-)
 create mode 100644 var/www/templates/error/403.html

diff --git a/var/www/Flask_server.py b/var/www/Flask_server.py
index 5990ff6b..09f9ff41 100755
--- a/var/www/Flask_server.py
+++ b/var/www/Flask_server.py
@@ -34,6 +34,7 @@ import Flask_config
 
 # Import Role_Manager
 from Role_Manager import create_user_db, check_password_strength
+from Role_Manager import login_admin, login_analyst
 
 def flask_init():
     # # TODO: move this to update
@@ -211,7 +212,15 @@ def logout():
     logout_user()
     return redirect(url_for('login'))
 
+# role error template
+@app.route('/role', methods=['POST', 'GET'])
+@login_required
+def role():
+    return render_template("error/403.html"), 403
+
 @app.route('/searchbox/')
+@login_required
+@login_analyst
 def searchbox():
     return render_template("searchbox.html")
 
diff --git a/var/www/modules/PasteSubmit/Flask_PasteSubmit.py b/var/www/modules/PasteSubmit/Flask_PasteSubmit.py
index 8a1ffaab..85ca57e2 100644
--- a/var/www/modules/PasteSubmit/Flask_PasteSubmit.py
+++ b/var/www/modules/PasteSubmit/Flask_PasteSubmit.py
@@ -6,6 +6,8 @@
 '''
 import redis
 from flask import Flask, render_template, jsonify, request, Blueprint, url_for, redirect
+
+from Role_Manager import login_admin, login_analyst
 from flask_login import login_required
 
 import unicodedata
@@ -275,6 +277,7 @@ def hive_create_case(hive_tlp, threat_level, hive_description, hive_case_title,
 
 @PasteSubmit.route("/PasteSubmit/", methods=['GET'])
 @login_required
+@login_analyst
 def PasteSubmit_page():
     #active taxonomies
     active_taxonomies = r_serv_tags.smembers('active_taxonomies')
@@ -288,6 +291,7 @@ def PasteSubmit_page():
 
 @PasteSubmit.route("/PasteSubmit/submit", methods=['POST'])
 @login_required
+@login_analyst
 def submit():
 
     #paste_name = request.form['paste_name']
@@ -398,6 +402,7 @@ def submit():
 
 @PasteSubmit.route("/PasteSubmit/submit_status", methods=['GET'])
 @login_required
+@login_analyst
 def submit_status():
     UUID = request.args.get('UUID')
 
@@ -465,6 +470,7 @@ def submit_status():
 
 @PasteSubmit.route("/PasteSubmit/create_misp_event", methods=['POST'])
 @login_required
+@login_analyst
 def create_misp_event():
 
     distribution = int(request.form['misp_data[Event][distribution]'])
@@ -488,6 +494,7 @@ def create_misp_event():
 
 @PasteSubmit.route("/PasteSubmit/create_hive_case", methods=['POST'])
 @login_required
+@login_analyst
 def create_hive_case():
 
     hive_tlp = int(request.form['hive_tlp'])
@@ -511,6 +518,7 @@ def create_hive_case():
 
 @PasteSubmit.route("/PasteSubmit/edit_tag_export")
 @login_required
+@login_analyst
 def edit_tag_export():
     misp_auto_events = r_serv_db.get('misp:auto-events')
     hive_auto_alerts = r_serv_db.get('hive:auto-alerts')
@@ -576,6 +584,7 @@ def edit_tag_export():
 
 @PasteSubmit.route("/PasteSubmit/tag_export_edited", methods=['POST'])
 @login_required
+@login_analyst
 def tag_export_edited():
     tag_enabled_misp = request.form.getlist('tag_enabled_misp')
     tag_enabled_hive = request.form.getlist('tag_enabled_hive')
@@ -601,30 +610,35 @@ def tag_export_edited():
 
 @PasteSubmit.route("/PasteSubmit/enable_misp_auto_event")
 @login_required
+@login_analyst
 def enable_misp_auto_event():
     r_serv_db.set('misp:auto-events', 1)
     return edit_tag_export()
 
 @PasteSubmit.route("/PasteSubmit/disable_misp_auto_event")
 @login_required
+@login_analyst
 def disable_misp_auto_event():
     r_serv_db.set('misp:auto-events', 0)
     return edit_tag_export()
 
 @PasteSubmit.route("/PasteSubmit/enable_hive_auto_alert")
 @login_required
+@login_analyst
 def enable_hive_auto_alert():
     r_serv_db.set('hive:auto-alerts', 1)
     return edit_tag_export()
 
 @PasteSubmit.route("/PasteSubmit/disable_hive_auto_alert")
 @login_required
+@login_analyst
 def disable_hive_auto_alert():
     r_serv_db.set('hive:auto-alerts', 0)
     return edit_tag_export()
 
 @PasteSubmit.route("/PasteSubmit/add_push_tag")
 @login_required
+@login_analyst
 def add_push_tag():
     tag = request.args.get('tag')
     if tag is not None:
@@ -643,6 +657,7 @@ def add_push_tag():
 
 @PasteSubmit.route("/PasteSubmit/delete_push_tag")
 @login_required
+@login_analyst
 def delete_push_tag():
     tag = request.args.get('tag')
 
diff --git a/var/www/modules/Tags/Flask_Tags.py b/var/www/modules/Tags/Flask_Tags.py
index f68491e6..8ab81297 100644
--- a/var/www/modules/Tags/Flask_Tags.py
+++ b/var/www/modules/Tags/Flask_Tags.py
@@ -222,7 +222,7 @@ def update_tag_last_seen(tag, tag_first_seen, tag_last_seen):
 
 @Tags.route("/tags/", methods=['GET'])
 @login_required
-@login_admin
+@login_analyst
 def Tags_page():
     date_from = request.args.get('date_from')
     date_to = request.args.get('date_to')
@@ -357,6 +357,7 @@ def Tags_page():
 
 @Tags.route("/Tags/get_all_tags")
 @login_required
+@login_analyst
 def get_all_tags():
 
     all_tags = r_serv_tags.smembers('list_tags')
@@ -380,6 +381,7 @@ def get_all_tags():
 
 @Tags.route("/Tags/get_all_tags_taxonomies")
 @login_required
+@login_analyst
 def get_all_tags_taxonomies():
 
     taxonomies = Taxonomies()
@@ -398,6 +400,7 @@ def get_all_tags_taxonomies():
 
 @Tags.route("/Tags/get_all_tags_galaxies")
 @login_required
+@login_analyst
 def get_all_tags_galaxy():
 
     active_galaxies = r_serv_tags.smembers('active_galaxies')
@@ -412,6 +415,7 @@ def get_all_tags_galaxy():
 
 @Tags.route("/Tags/get_tags_taxonomie")
 @login_required
+@login_analyst
 def get_tags_taxonomie():
 
     taxonomie = request.args.get('taxonomie')
@@ -439,6 +443,7 @@ def get_tags_taxonomie():
 
 @Tags.route("/Tags/get_tags_galaxy")
 @login_required
+@login_analyst
 def get_tags_galaxy():
 
     galaxy = request.args.get('galaxy')
@@ -460,6 +465,7 @@ def get_tags_galaxy():
 
 @Tags.route("/Tags/remove_tag")
 @login_required
+@login_analyst
 def remove_tag():
 
     #TODO verify input
@@ -492,6 +498,7 @@ def confirm_tag():
 
 @Tags.route("/Tags/tag_validation")
 @login_required
+@login_analyst
 def tag_validation():
 
     path = request.args.get('paste')
@@ -513,6 +520,7 @@ def tag_validation():
 
 @Tags.route("/Tags/addTags")
 @login_required
+@login_analyst
 def addTags():
 
     tags = request.args.get('tags')
@@ -563,6 +571,7 @@ def addTags():
 
 @Tags.route("/Tags/taxonomies")
 @login_required
+@login_analyst
 def taxonomies():
 
     active_taxonomies = r_serv_tags.smembers('active_taxonomies')
@@ -600,6 +609,7 @@ def taxonomies():
 
 @Tags.route("/Tags/edit_taxonomie")
 @login_required
+@login_analyst
 def edit_taxonomie():
 
     taxonomies = Taxonomies()
@@ -649,6 +659,7 @@ def edit_taxonomie():
 
 @Tags.route("/Tags/disable_taxonomie")
 @login_required
+@login_analyst
 def disable_taxonomie():
 
     taxonomies = Taxonomies()
@@ -670,6 +681,7 @@ def disable_taxonomie():
 
 @Tags.route("/Tags/active_taxonomie")
 @login_required
+@login_analyst
 def active_taxonomie():
 
     taxonomies = Taxonomies()
@@ -690,6 +702,7 @@ def active_taxonomie():
 
 @Tags.route("/Tags/edit_taxonomie_tag")
 @login_required
+@login_analyst
 def edit_taxonomie_tag():
 
     taxonomies = Taxonomies()
@@ -733,6 +746,7 @@ def edit_taxonomie_tag():
 
 @Tags.route("/Tags/galaxies")
 @login_required
+@login_analyst
 def galaxies():
 
     active_galaxies = r_serv_tags.smembers('active_galaxies')
@@ -780,6 +794,7 @@ def galaxies():
 
 @Tags.route("/Tags/edit_galaxy")
 @login_required
+@login_analyst
 def edit_galaxy():
 
     id = request.args.get('galaxy')
@@ -848,6 +863,7 @@ def edit_galaxy():
 
 @Tags.route("/Tags/active_galaxy")
 @login_required
+@login_analyst
 def active_galaxy():
 
     id = request.args.get('galaxy')
@@ -893,6 +909,7 @@ def active_galaxy():
 
 @Tags.route("/Tags/disable_galaxy")
 @login_required
+@login_analyst
 def disable_galaxy():
 
     id = request.args.get('galaxy')
@@ -914,6 +931,7 @@ def disable_galaxy():
 
 @Tags.route("/Tags/edit_galaxy_tag")
 @login_required
+@login_analyst
 def edit_galaxy_tag():
 
     arg1 = request.args.getlist('tag_enabled')
@@ -987,6 +1005,7 @@ def edit_galaxy_tag():
 
 @Tags.route("/Tags/tag_galaxy_info")
 @login_required
+@login_analyst
 def tag_galaxy_info():
 
     galaxy = request.args.get('galaxy')
diff --git a/var/www/modules/dashboard/Flask_dashboard.py b/var/www/modules/dashboard/Flask_dashboard.py
index 0bbcccac..160d9edb 100644
--- a/var/www/modules/dashboard/Flask_dashboard.py
+++ b/var/www/modules/dashboard/Flask_dashboard.py
@@ -13,6 +13,8 @@ import flask
 from Date import Date
 
 from flask import Flask, render_template, jsonify, request, Blueprint, url_for
+
+from Role_Manager import login_admin, login_analyst
 from flask_login import login_required
 
 # ============ VARIABLES ============
@@ -111,11 +113,13 @@ def datetime_from_utc_to_local(utc_str):
 
 @dashboard.route("/_logs")
 @login_required
+@login_analyst
 def logs():
     return flask.Response(event_stream(), mimetype="text/event-stream")
 
 @dashboard.route("/_get_last_logs_json")
 @login_required
+@login_analyst
 def get_last_logs_json():
     date = datetime.datetime.now().strftime("%Y%m%d")
 
@@ -158,12 +162,14 @@ def get_last_logs_json():
 
 @dashboard.route("/_stuff", methods=['GET'])
 @login_required
+@login_analyst
 def stuff():
     return jsonify(row1=get_queues(r_serv))
 
 
 @dashboard.route("/")
 @login_required
+@login_analyst
 def index():
     default_minute = cfg.get("Flask", "minute_processed_paste")
     threshold_stucked_module = cfg.getint("Module_ModuleInformation", "threshold_stucked_module")
diff --git a/var/www/modules/hashDecoded/Flask_hashDecoded.py b/var/www/modules/hashDecoded/Flask_hashDecoded.py
index 83ce54b8..a3537b1a 100644
--- a/var/www/modules/hashDecoded/Flask_hashDecoded.py
+++ b/var/www/modules/hashDecoded/Flask_hashDecoded.py
@@ -17,6 +17,7 @@ from hashlib import sha256
 
 import requests
 from flask import Flask, render_template, jsonify, request, Blueprint, redirect, url_for, send_file
+from Role_Manager import login_admin, login_analyst
 from flask_login import login_required
 
 # ============ VARIABLES ============
@@ -476,6 +477,7 @@ def correlation_graph_node_json(correlation_type, type_id, key_id):
 # ============= ROUTES ==============
 @hashDecoded.route("/hashDecoded/all_hash_search", methods=['POST'])
 @login_required
+@login_analyst
 def all_hash_search():
     date_from = request.form.get('date_from')
     date_to = request.form.get('date_to')
@@ -486,6 +488,7 @@ def all_hash_search():
 
 @hashDecoded.route("/hashDecoded/", methods=['GET'])
 @login_required
+@login_analyst
 def hashDecoded_page():
     date_from = request.args.get('date_from')
     date_to = request.args.get('date_to')
@@ -604,6 +607,7 @@ def hashDecoded_page():
 
 @hashDecoded.route('/hashDecoded/hash_by_type')
 @login_required
+@login_analyst
 def hash_by_type():
     type = request.args.get('type')
     type = 'text/plain'
@@ -612,6 +616,7 @@ def hash_by_type():
 
 @hashDecoded.route('/hashDecoded/hash_hash')
 @login_required
+@login_analyst
 def hash_hash():
     hash = request.args.get('hash')
     return render_template('hash_hash.html')
@@ -619,6 +624,7 @@ def hash_hash():
 
 @hashDecoded.route('/hashDecoded/showHash')
 @login_required
+@login_analyst
 def showHash():
     hash = request.args.get('hash')
     #hash = 'e02055d3efaad5d656345f6a8b1b6be4fe8cb5ea'
@@ -673,6 +679,7 @@ def showHash():
 
 @hashDecoded.route('/hashDecoded/downloadHash')
 @login_required
+@login_analyst
 def downloadHash():
     hash = request.args.get('hash')
     # sanitize hash
@@ -710,6 +717,7 @@ def downloadHash():
 
 @hashDecoded.route('/hashDecoded/hash_by_type_json')
 @login_required
+@login_analyst
 def hash_by_type_json():
     type = request.args.get('type')
 
@@ -744,6 +752,7 @@ def hash_by_type_json():
 
 @hashDecoded.route('/hashDecoded/decoder_type_json')
 @login_required
+@login_analyst
 def decoder_type_json():
     date_from = request.args.get('date_from')
     date_to = request.args.get('date_to')
@@ -800,6 +809,7 @@ def decoder_type_json():
 
 @hashDecoded.route('/hashDecoded/top5_type_json')
 @login_required
+@login_analyst
 def top5_type_json():
     date_from = request.args.get('date_from')
     date_to = request.args.get('date_to')
@@ -859,6 +869,7 @@ def top5_type_json():
 
 @hashDecoded.route('/hashDecoded/daily_type_json')
 @login_required
+@login_analyst
 def daily_type_json():
     date = request.args.get('date')
 
@@ -879,6 +890,7 @@ def daily_type_json():
 
 @hashDecoded.route('/hashDecoded/range_type_json')
 @login_required
+@login_analyst
 def range_type_json():
     date_from = request.args.get('date_from')
     date_to = request.args.get('date_to')
@@ -936,6 +948,7 @@ def range_type_json():
 
 @hashDecoded.route('/hashDecoded/hash_graph_line_json')
 @login_required
+@login_analyst
 def hash_graph_line_json():
     hash = request.args.get('hash')
     date_from = request.args.get('date_from')
@@ -966,6 +979,7 @@ def hash_graph_line_json():
 
 @hashDecoded.route('/hashDecoded/hash_graph_node_json')
 @login_required
+@login_analyst
 def hash_graph_node_json():
     hash = request.args.get('hash')
 
@@ -1034,6 +1048,7 @@ def hash_graph_node_json():
 
 @hashDecoded.route('/hashDecoded/hash_types')
 @login_required
+@login_analyst
 def hash_types():
     date_from = 20180701
     date_to = 20180706
@@ -1042,6 +1057,7 @@ def hash_types():
 
 @hashDecoded.route('/hashDecoded/send_file_to_vt_js')
 @login_required
+@login_analyst
 def send_file_to_vt_js():
     hash = request.args.get('hash')
 
@@ -1066,6 +1082,7 @@ def send_file_to_vt_js():
 
 @hashDecoded.route('/hashDecoded/update_vt_result')
 @login_required
+@login_analyst
 def update_vt_result():
     hash = request.args.get('hash')
 
@@ -1102,6 +1119,8 @@ def update_vt_result():
 ############################ PGPDump ############################
 
 @hashDecoded.route('/decoded/pgp_by_type_json') ## TODO: REFRACTOR
+@login_required
+@login_analyst
 def pgp_by_type_json():
     type_id = request.args.get('type_id')
     date_from = request.args.get('date_from')
@@ -1146,6 +1165,8 @@ def pgp_by_type_json():
 
 ############################ Correlation ############################
 @hashDecoded.route("/correlation/pgpdump", methods=['GET'])
+@login_required
+@login_analyst
 def pgpdump_page():
     date_from = request.args.get('date_from')
     date_to = request.args.get('date_to')
@@ -1156,6 +1177,8 @@ def pgpdump_page():
     return res
 
 @hashDecoded.route("/correlation/cryptocurrency", methods=['GET'])
+@login_required
+@login_analyst
 def cryptocurrency_page():
     date_from = request.args.get('date_from')
     date_to = request.args.get('date_to')
@@ -1166,6 +1189,8 @@ def cryptocurrency_page():
     return res
 
 @hashDecoded.route("/correlation/all_pgpdump_search", methods=['POST'])
+@login_required
+@login_analyst
 def all_pgpdump_search():
     date_from = request.form.get('date_from')
     date_to = request.form.get('date_to')
@@ -1174,6 +1199,8 @@ def all_pgpdump_search():
     return redirect(url_for('hashDecoded.pgpdump_page', date_from=date_from, date_to=date_to, type_id=type_id, show_decoded_files=show_decoded_files))
 
 @hashDecoded.route("/correlation/all_cryptocurrency_search", methods=['POST'])
+@login_required
+@login_analyst
 def all_cryptocurrency_search():
     date_from = request.form.get('date_from')
     date_to = request.form.get('date_to')
@@ -1182,6 +1209,8 @@ def all_cryptocurrency_search():
     return redirect(url_for('hashDecoded.cryptocurrency_page', date_from=date_from, date_to=date_to, type_id=type_id, show_decoded_files=show_decoded_files))
 
 @hashDecoded.route('/correlation/show_pgpdump')
+@login_required
+@login_analyst
 def show_pgpdump():
     type_id = request.args.get('type_id')
     key_id = request.args.get('key_id')
@@ -1189,36 +1218,48 @@ def show_pgpdump():
 
 
 @hashDecoded.route('/correlation/show_cryptocurrency')
+@login_required
+@login_analyst
 def show_cryptocurrency():
     type_id = request.args.get('type_id')
     key_id = request.args.get('key_id')
     return show_correlation('cryptocurrency', type_id, key_id)
 
 @hashDecoded.route('/correlation/cryptocurrency_range_type_json')
+@login_required
+@login_analyst
 def cryptocurrency_range_type_json():
     date_from = request.args.get('date_from')
     date_to = request.args.get('date_to')
     return correlation_type_range_type_json('cryptocurrency', date_from, date_to)
 
 @hashDecoded.route('/correlation/pgpdump_range_type_json')
+@login_required
+@login_analyst
 def pgpdump_range_type_json():
     date_from = request.args.get('date_from')
     date_to = request.args.get('date_to')
     return correlation_type_range_type_json('pgpdump', date_from, date_to)
 
 @hashDecoded.route('/correlation/pgpdump_graph_node_json')
+@login_required
+@login_analyst
 def pgpdump_graph_node_json():
     type_id = request.args.get('type_id')
     key_id = request.args.get('key_id')
     return correlation_graph_node_json('pgpdump', type_id, key_id)
 
 @hashDecoded.route('/correlation/cryptocurrency_graph_node_json')
+@login_required
+@login_analyst
 def cryptocurrency_graph_node_json():
     type_id = request.args.get('type_id')
     key_id = request.args.get('key_id')
     return correlation_graph_node_json('cryptocurrency', type_id, key_id)
 
 @hashDecoded.route('/correlation/pgpdump_graph_line_json')
+@login_required
+@login_analyst
 def pgpdump_graph_line_json():
     type_id = request.args.get('type_id')
     key_id = request.args.get('key_id')
@@ -1251,6 +1292,8 @@ def correlation_graph_line_json(correlation_type, type_id, key_id, date_from, da
         return jsonify()
 
 @hashDecoded.route('/correlation/cryptocurrency_graph_line_json')
+@login_required
+@login_analyst
 def cryptocurrency_graph_line_json():
     type_id = request.args.get('type_id')
     key_id = request.args.get('key_id')
diff --git a/var/www/modules/hiddenServices/Flask_hiddenServices.py b/var/www/modules/hiddenServices/Flask_hiddenServices.py
index 09d1df1f..12fe3177 100644
--- a/var/www/modules/hiddenServices/Flask_hiddenServices.py
+++ b/var/www/modules/hiddenServices/Flask_hiddenServices.py
@@ -12,6 +12,8 @@ import time
 import json
 from pyfaup.faup import Faup
 from flask import Flask, render_template, jsonify, request, send_file, Blueprint, redirect, url_for
+
+from Role_Manager import login_admin, login_analyst
 from flask_login import login_required
 
 from Date import Date
@@ -241,6 +243,7 @@ def delete_auto_crawler(url):
 
 @hiddenServices.route("/crawlers/", methods=['GET'])
 @login_required
+@login_analyst
 def dashboard():
     crawler_metadata_onion = get_crawler_splash_status('onion')
     crawler_metadata_regular = get_crawler_splash_status('regular')
@@ -255,18 +258,15 @@ def dashboard():
                                 crawler_metadata_regular=crawler_metadata_regular,
                                 statDomains_onion=statDomains_onion, statDomains_regular=statDomains_regular)
 
-@hiddenServices.route("/hiddenServices/2", methods=['GET'])
-@login_required
-def hiddenServices_page_test():
-    return render_template("Crawler_index.html")
-
 @hiddenServices.route("/crawlers/manual", methods=['GET'])
 @login_required
+@login_analyst
 def manual():
     return render_template("Crawler_Splash_manual.html", crawler_enabled=crawler_enabled)
 
 @hiddenServices.route("/crawlers/crawler_splash_onion", methods=['GET'])
 @login_required
+@login_analyst
 def crawler_splash_onion():
     type = 'onion'
     last_onions = get_last_domains_crawled(type)
@@ -285,6 +285,7 @@ def crawler_splash_onion():
 
 @hiddenServices.route("/crawlers/Crawler_Splash_last_by_type", methods=['GET'])
 @login_required
+@login_analyst
 def Crawler_Splash_last_by_type():
     type = request.args.get('type')
     # verify user input
@@ -309,6 +310,7 @@ def Crawler_Splash_last_by_type():
 
 @hiddenServices.route("/crawlers/blacklisted_domains", methods=['GET'])
 @login_required
+@login_analyst
 def blacklisted_domains():
     blacklist_domain = request.args.get('blacklist_domain')
     unblacklist_domain = request.args.get('unblacklist_domain')
@@ -344,6 +346,7 @@ def blacklisted_domains():
 
 @hiddenServices.route("/crawler/blacklist_domain", methods=['GET'])
 @login_required
+@login_analyst
 def blacklist_domain():
     domain = request.args.get('domain')
     type = request.args.get('type')
@@ -366,6 +369,7 @@ def blacklist_domain():
 
 @hiddenServices.route("/crawler/unblacklist_domain", methods=['GET'])
 @login_required
+@login_analyst
 def unblacklist_domain():
     domain = request.args.get('domain')
     type = request.args.get('type')
@@ -388,6 +392,7 @@ def unblacklist_domain():
 
 @hiddenServices.route("/crawlers/create_spider_splash", methods=['POST'])
 @login_required
+@login_analyst
 def create_spider_splash():
     url = request.form.get('url_to_crawl')
     automatic = request.form.get('crawler_type')
@@ -475,6 +480,7 @@ def create_spider_splash():
 
 @hiddenServices.route("/crawlers/auto_crawler", methods=['GET'])
 @login_required
+@login_analyst
 def auto_crawler():
     nb_element_to_display = 100
     try:
@@ -528,6 +534,7 @@ def auto_crawler():
 
 @hiddenServices.route("/crawlers/remove_auto_crawler", methods=['GET'])
 @login_required
+@login_analyst
 def remove_auto_crawler():
     url = request.args.get('url')
     page = request.args.get('page')
@@ -538,6 +545,7 @@ def remove_auto_crawler():
 
 @hiddenServices.route("/crawlers/crawler_dashboard_json", methods=['GET'])
 @login_required
+@login_analyst
 def crawler_dashboard_json():
 
     crawler_metadata_onion = get_crawler_splash_status('onion')
@@ -555,6 +563,7 @@ def crawler_dashboard_json():
 # # TODO: refractor
 @hiddenServices.route("/hiddenServices/last_crawled_domains_with_stats_json", methods=['GET'])
 @login_required
+@login_analyst
 def last_crawled_domains_with_stats_json():
     last_onions = r_serv_onion.lrange('last_onion', 0 ,-1)
     list_onion = []
@@ -605,6 +614,7 @@ def last_crawled_domains_with_stats_json():
 
 @hiddenServices.route("/hiddenServices/get_onions_by_daterange", methods=['POST'])
 @login_required
+@login_analyst
 def get_onions_by_daterange():
     date_from = request.form.get('date_from')
     date_to = request.form.get('date_to')
@@ -617,6 +627,7 @@ def get_onions_by_daterange():
 
 @hiddenServices.route("/hiddenServices/show_domains_by_daterange", methods=['GET'])
 @login_required
+@login_analyst
 def show_domains_by_daterange():
     date_from = request.args.get('date_from')
     date_to = request.args.get('date_to')
@@ -722,6 +733,7 @@ def show_domains_by_daterange():
 
 @hiddenServices.route("/crawlers/show_domain", methods=['GET'])
 @login_required
+@login_analyst
 def show_domain():
     domain = request.args.get('domain')
     epoch = request.args.get('epoch')
@@ -805,6 +817,8 @@ def show_domain():
                             domain_tags=domain_tags, screenshot=screenshot)
 
 @hiddenServices.route("/crawlers/download_domain", methods=['GET'])
+@login_required
+@login_analyst
 def download_domain():
     domain = request.args.get('domain')
     epoch = request.args.get('epoch')
@@ -857,6 +871,7 @@ def download_domain():
 
 @hiddenServices.route("/hiddenServices/onion_son", methods=['GET'])
 @login_required
+@login_analyst
 def onion_son():
     onion_domain = request.args.get('onion_domain')
 
@@ -868,6 +883,7 @@ def onion_son():
 # ============= JSON ==============
 @hiddenServices.route("/hiddenServices/domain_crawled_7days_json", methods=['GET'])
 @login_required
+@login_analyst
 def domain_crawled_7days_json():
     type = 'onion'
         ## TODO: # FIXME: 404 error
@@ -887,6 +903,7 @@ def domain_crawled_7days_json():
 
 @hiddenServices.route('/hiddenServices/domain_crawled_by_type_json')
 @login_required
+@login_analyst
 def domain_crawled_by_type_json():
     current_date = request.args.get('date')
     type = request.args.get('type')
diff --git a/var/www/modules/rawSkeleton/Flask_rawSkeleton.py b/var/www/modules/rawSkeleton/Flask_rawSkeleton.py
index fe6e1f66..d767a83c 100644
--- a/var/www/modules/rawSkeleton/Flask_rawSkeleton.py
+++ b/var/www/modules/rawSkeleton/Flask_rawSkeleton.py
@@ -6,6 +6,8 @@
 '''
 import redis
 from flask import Flask, render_template, jsonify, request, Blueprint
+
+from Role_Manager import login_admin, login_analyst
 from flask_login import login_required
 
 # ============ VARIABLES ============
@@ -24,6 +26,7 @@ def one():
 
 @rawSkeleton.route("/rawSkeleton/", methods=['GET'])
 @login_required
+@login_analyst
 def skeleton_page():
     return render_template("rawSkeleton.html")
 
diff --git a/var/www/modules/search/Flask_search.py b/var/www/modules/search/Flask_search.py
index 866c0bfc..67a518fb 100644
--- a/var/www/modules/search/Flask_search.py
+++ b/var/www/modules/search/Flask_search.py
@@ -10,6 +10,8 @@ import os
 import datetime
 import flask
 from flask import Flask, render_template, jsonify, request, Blueprint
+
+from Role_Manager import login_admin, login_analyst
 from flask_login import login_required
 
 import Paste
@@ -95,6 +97,7 @@ def to_iso_date(timestamp):
 
 @searches.route("/search", methods=['POST'])
 @login_required
+@login_analyst
 def search():
     query = request.form['query']
     q = []
@@ -183,6 +186,7 @@ def search():
 
 @searches.route("/get_more_search_result", methods=['POST'])
 @login_required
+@login_analyst
 def get_more_search_result():
     query = request.form['query']
     q = []
diff --git a/var/www/modules/sentiment/Flask_sentiment.py b/var/www/modules/sentiment/Flask_sentiment.py
index 14904558..af6c220c 100644
--- a/var/www/modules/sentiment/Flask_sentiment.py
+++ b/var/www/modules/sentiment/Flask_sentiment.py
@@ -10,6 +10,8 @@ import calendar
 from Date import Date
 import flask
 from flask import Flask, render_template, jsonify, request, Blueprint
+
+from Role_Manager import login_admin, login_analyst
 from flask_login import login_required
 
 import Paste
@@ -41,12 +43,14 @@ def get_date_range(num_day):
 
 @sentiments.route("/sentiment_analysis_trending/")
 @login_required
+@login_analyst
 def sentiment_analysis_trending():
     return render_template("sentiment_analysis_trending.html")
 
 
 @sentiments.route("/sentiment_analysis_getplotdata/", methods=['GET'])
 @login_required
+@login_analyst
 def sentiment_analysis_getplotdata():
     # Get the top providers based on number of pastes
     oneHour = 60*60
@@ -98,6 +102,7 @@ def sentiment_analysis_getplotdata():
 
 @sentiments.route("/sentiment_analysis_plot_tool/")
 @login_required
+@login_analyst
 def sentiment_analysis_plot_tool():
     return render_template("sentiment_analysis_plot_tool.html")
 
@@ -105,6 +110,7 @@ def sentiment_analysis_plot_tool():
 
 @sentiments.route("/sentiment_analysis_plot_tool_getdata/", methods=['GET'])
 @login_required
+@login_analyst
 def sentiment_analysis_plot_tool_getdata():
     getProviders = request.args.get('getProviders')
 
diff --git a/var/www/modules/settings/Flask_settings.py b/var/www/modules/settings/Flask_settings.py
index 8a5fb776..09d5597d 100644
--- a/var/www/modules/settings/Flask_settings.py
+++ b/var/www/modules/settings/Flask_settings.py
@@ -7,7 +7,8 @@
 from flask import Flask, render_template, jsonify, request, Blueprint, redirect, url_for
 from flask_login import login_required, current_user
 
-from Role_Manager import login_admin, login_analyst, create_user_db, edit_user_db, delete_user_db, check_password_strength
+from Role_Manager import login_admin, login_analyst
+from Role_Manager import create_user_db, edit_user_db, delete_user_db, check_password_strength
 
 import json
 import secrets
@@ -104,6 +105,7 @@ def get_all_roles():
 
 @settings.route("/settings/", methods=['GET'])
 @login_required
+@login_analyst
 def settings_page():
     git_metadata = get_git_metadata()
     current_version = r_serv_db.get('ail:version')
@@ -114,18 +116,21 @@ def settings_page():
 
 @settings.route("/settings/edit_profile", methods=['GET'])
 @login_required
+@login_analyst
 def edit_profile():
     user_metadata = get_user_metadata(current_user.get_id())
     return render_template("edit_profile.html", user_metadata=user_metadata)
 
 @settings.route("/settings/new_token", methods=['GET'])
 @login_required
+@login_analyst
 def new_token():
     generate_new_token(current_user.get_id())
     return redirect(url_for('settings.edit_profile'))
 
 @settings.route("/settings/new_token_user", methods=['GET'])
 @login_required
+@login_admin
 def new_token_user():
     user_id = request.args.get('user_id')
     if r_serv_db.exists('user_metadata:{}'.format(user_id)):
@@ -134,6 +139,7 @@ def new_token_user():
 
 @settings.route("/settings/create_user", methods=['GET'])
 @login_required
+@login_admin
 def create_user():
     user_id = request.args.get('user_id')
     role = None
@@ -146,6 +152,7 @@ def create_user():
 
 @settings.route("/settings/create_user_post", methods=['POST'])
 @login_required
+@login_admin
 def create_user_post():
     email = request.form.get('username')
     role = request.form.get('user_role')
@@ -190,6 +197,7 @@ def create_user_post():
 
 @settings.route("/settings/users_list", methods=['GET'])
 @login_required
+@login_admin
 def users_list():
     all_users = get_users_metadata(get_all_users())
     new_user = request.args.get('new_user')
@@ -202,12 +210,14 @@ def users_list():
 
 @settings.route("/settings/edit_user", methods=['GET'])
 @login_required
+@login_admin
 def edit_user():
     user_id = request.args.get('user_id')
     return redirect(url_for('settings.create_user', user_id=user_id))
 
 @settings.route("/settings/delete_user", methods=['GET'])
 @login_required
+@login_admin
 def delete_user():
     user_id = request.args.get('user_id')
     delete_user_db(user_id)
@@ -216,6 +226,7 @@ def delete_user():
 
 @settings.route("/settings/get_background_update_stats_json", methods=['GET'])
 @login_required
+@login_analyst
 def get_background_update_stats_json():
     # handle :end, error
     update_stats = {}
diff --git a/var/www/modules/showpaste/Flask_showpaste.py b/var/www/modules/showpaste/Flask_showpaste.py
index dafba343..fb990bbf 100644
--- a/var/www/modules/showpaste/Flask_showpaste.py
+++ b/var/www/modules/showpaste/Flask_showpaste.py
@@ -9,6 +9,8 @@ import json
 import os
 import flask
 from flask import Flask, render_template, jsonify, request, Blueprint, make_response, Response, send_from_directory, redirect, url_for
+
+from Role_Manager import login_admin, login_analyst
 from flask_login import login_required
 
 import difflib
@@ -383,18 +385,21 @@ def show_item_min(requested_path , content_range=0):
 
 @showsavedpastes.route("/showsavedpaste/") #completely shows the paste in a new tab
 @login_required
+@login_analyst
 def showsavedpaste():
     requested_path = request.args.get('paste', '')
     return showpaste(0, requested_path)
 
 @showsavedpastes.route("/showsaveditem_min/") #completely shows the paste in a new tab
 @login_required
+@login_analyst
 def showsaveditem_min():
     requested_path = request.args.get('paste', '')
     return show_item_min(requested_path)
 
 @showsavedpastes.route("/showsavedrawpaste/") #shows raw
 @login_required
+@login_analyst
 def showsavedrawpaste():
     requested_path = request.args.get('paste', '')
     paste = Paste.Paste(requested_path)
@@ -403,6 +408,7 @@ def showsavedrawpaste():
 
 @showsavedpastes.route("/showpreviewpaste/")
 @login_required
+@login_analyst
 def showpreviewpaste():
     num = request.args.get('num', '')
     requested_path = request.args.get('paste', '')
@@ -411,6 +417,7 @@ def showpreviewpaste():
 
 @showsavedpastes.route("/getmoredata/")
 @login_required
+@login_analyst
 def getmoredata():
     requested_path = request.args.get('paste', '')
     paste = Paste.Paste(requested_path)
@@ -420,6 +427,7 @@ def getmoredata():
 
 @showsavedpastes.route("/showDiff/")
 @login_required
+@login_analyst
 def showDiff():
     s1 = request.args.get('s1', '')
     s2 = request.args.get('s2', '')
@@ -437,11 +445,13 @@ def showDiff():
 
 @showsavedpastes.route('/screenshot/<path:filename>')
 @login_required
+@login_analyst
 def screenshot(filename):
     return send_from_directory(SCREENSHOT_FOLDER, filename+'.png', as_attachment=True)
 
 @showsavedpastes.route('/send_file_to_vt/', methods=['POST'])
 @login_required
+@login_analyst
 def send_file_to_vt():
     b64_path = request.form['b64_path']
     paste = request.form['paste']
diff --git a/var/www/modules/terms/Flask_terms.py b/var/www/modules/terms/Flask_terms.py
index fd42ec4d..f3b8c7de 100644
--- a/var/www/modules/terms/Flask_terms.py
+++ b/var/www/modules/terms/Flask_terms.py
@@ -11,6 +11,8 @@ import datetime
 import calendar
 import flask
 from flask import Flask, render_template, jsonify, request, Blueprint, url_for, redirect
+
+from Role_Manager import login_admin, login_analyst
 from flask_login import login_required
 
 import re
@@ -146,6 +148,7 @@ def save_tag_to_auto_push(list_tag):
 
 @terms.route("/terms_management/")
 @login_required
+@login_analyst
 def terms_management():
     per_paste = request.args.get('per_paste')
     if per_paste == "1" or per_paste is None:
@@ -265,6 +268,7 @@ def terms_management():
 
 @terms.route("/terms_management_query_paste/")
 @login_required
+@login_analyst
 def terms_management_query_paste():
     term =  request.args.get('term')
     paste_info = []
@@ -298,6 +302,7 @@ def terms_management_query_paste():
 
 @terms.route("/terms_management_query/")
 @login_required
+@login_analyst
 def terms_management_query():
     TrackedTermsDate_Name = "TrackedTermDate"
     BlackListTermsDate_Name = "BlackListTermDate"
@@ -321,6 +326,7 @@ def terms_management_query():
 
 @terms.route("/terms_management_action/", methods=['GET'])
 @login_required
+@login_analyst
 def terms_management_action():
     today = datetime.datetime.now()
     today = today.replace(microsecond=0)
@@ -447,6 +453,7 @@ def terms_management_action():
 
 @terms.route("/terms_management/delete_terms_tags", methods=['POST'])
 @login_required
+@login_analyst
 def delete_terms_tags():
     term = request.form.get('term')
     tags_to_delete = request.form.getlist('tags_to_delete')
@@ -460,6 +467,7 @@ def delete_terms_tags():
 
 @terms.route("/terms_management/delete_terms_email", methods=['GET'])
 @login_required
+@login_analyst
 def delete_terms_email():
     term =  request.args.get('term')
     email =  request.args.get('email')
@@ -473,6 +481,7 @@ def delete_terms_email():
 
 @terms.route("/terms_plot_tool/")
 @login_required
+@login_analyst
 def terms_plot_tool():
     term =  request.args.get('term')
     if term is not None:
@@ -483,6 +492,7 @@ def terms_plot_tool():
 
 @terms.route("/terms_plot_tool_data/")
 @login_required
+@login_analyst
 def terms_plot_tool_data():
     oneDay = 60*60*24
     range_start =  datetime.datetime.utcfromtimestamp(int(float(request.args.get('range_start')))) if request.args.get('range_start') is not None else 0;
@@ -514,6 +524,7 @@ def terms_plot_tool_data():
 
 @terms.route("/terms_plot_top/")
 @login_required
+@login_analyst
 def terms_plot_top():
     per_paste = request.args.get('per_paste')
     per_paste = per_paste if per_paste is not None else 1
@@ -522,6 +533,7 @@ def terms_plot_top():
 
 @terms.route("/terms_plot_top_data/")
 @login_required
+@login_analyst
 def terms_plot_top_data():
     oneDay = 60*60*24
     today = datetime.datetime.now()
@@ -569,11 +581,13 @@ def terms_plot_top_data():
 
 @terms.route("/credentials_tracker/")
 @login_required
+@login_analyst
 def credentials_tracker():
     return render_template("credentials_tracker.html")
 
 @terms.route("/credentials_management_query_paste/", methods=['GET', 'POST'])
 @login_required
+@login_analyst
 def credentials_management_query_paste():
     cred =  request.args.get('cred')
     allPath = request.json['allPath']
@@ -598,6 +612,7 @@ def credentials_management_query_paste():
 
 @terms.route("/credentials_management_action/", methods=['GET'])
 @login_required
+@login_analyst
 def cred_management_action():
 
     supplied =  request.args.get('term')
diff --git a/var/www/modules/trendingcharts/Flask_trendingcharts.py b/var/www/modules/trendingcharts/Flask_trendingcharts.py
index bad6a353..a037e171 100644
--- a/var/www/modules/trendingcharts/Flask_trendingcharts.py
+++ b/var/www/modules/trendingcharts/Flask_trendingcharts.py
@@ -9,6 +9,8 @@ import datetime
 from Date import Date
 import flask
 from flask import Flask, render_template, jsonify, request, Blueprint
+
+from Role_Manager import login_admin, login_analyst
 from flask_login import login_required
 
 # ============ VARIABLES ============
@@ -38,6 +40,7 @@ def get_date_range(num_day):
 
 @trendings.route("/_progressionCharts", methods=['GET'])
 @login_required
+@login_analyst
 def progressionCharts():
     attribute_name = request.args.get('attributeName')
     trending_name = request.args.get('trendingName')
@@ -64,6 +67,7 @@ def progressionCharts():
 
 @trendings.route("/wordstrending/")
 @login_required
+@login_analyst
 def wordstrending():
     default_display = cfg.get("Flask", "default_display")
     return render_template("Wordstrending.html", default_display = default_display)
@@ -71,6 +75,7 @@ def wordstrending():
 
 @trendings.route("/protocolstrending/")
 @login_required
+@login_analyst
 def protocolstrending():
     default_display = cfg.get("Flask", "default_display")
     return render_template("Protocolstrending.html", default_display = default_display)
@@ -78,6 +83,7 @@ def protocolstrending():
 
 @trendings.route("/trending/")
 @login_required
+@login_analyst
 def trending():
     default_display = cfg.get("Flask", "default_display")
     return render_template("Trending.html", default_display = default_display)
diff --git a/var/www/modules/trendingmodules/Flask_trendingmodules.py b/var/www/modules/trendingmodules/Flask_trendingmodules.py
index a53066b9..80646ecb 100644
--- a/var/www/modules/trendingmodules/Flask_trendingmodules.py
+++ b/var/www/modules/trendingmodules/Flask_trendingmodules.py
@@ -9,6 +9,8 @@ import datetime
 from Date import Date
 import flask
 from flask import Flask, render_template, jsonify, request, Blueprint
+
+from Role_Manager import login_admin, login_analyst
 from flask_login import login_required
 
 # ============ VARIABLES ============
@@ -51,6 +53,7 @@ def get_date_range(num_day):
 
 @trendingmodules.route("/_moduleCharts", methods=['GET'])
 @login_required
+@login_analyst
 def modulesCharts():
     keyword_name = request.args.get('keywordName')
     module_name = request.args.get('moduleName')
@@ -78,6 +81,7 @@ def modulesCharts():
 
 @trendingmodules.route("/_providersChart", methods=['GET'])
 @login_required
+@login_analyst
 def providersChart():
     keyword_name = request.args.get('keywordName')
     module_name = request.args.get('moduleName')
@@ -125,6 +129,7 @@ def providersChart():
 
 @trendingmodules.route("/moduletrending/")
 @login_required
+@login_analyst
 def moduletrending():
     return render_template("Moduletrending.html")
 
diff --git a/var/www/templates/error/403.html b/var/www/templates/error/403.html
new file mode 100644
index 00000000..e90433ba
--- /dev/null
+++ b/var/www/templates/error/403.html
@@ -0,0 +1,49 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+  <title>403 - AIL</title>
+  <link rel="icon" href="{{ url_for('static', filename='image/ail-icon.png') }}">
+
+  <!-- Core CSS -->
+	<link href="{{ url_for('static', filename='css/bootstrap4.min.css') }}" rel="stylesheet">
+</head>
+
+<body>
+
+{% include 'nav_bar.html' %}
+
+<div>
+  <br>
+  <br>
+  <h1 class="text-center">403 Forbidden</h1>
+</div>
+<br>
+<br>
+<br>
+<br>
+<div class="d-flex justify-content-center">
+<pre>
+                                  ,d8       ,a8888a,     ad888888b,
+                                ,d888     ,8P"'  `"Y8,  d8"     "88
+                              ,d8" 88    ,8P        Y8,         a8P
+                            ,d8"   88    88          88      aad8"
+                          ,d8"     88    88          88      ""Y8,
+                          8888888888888  `8b        d8'         "8b
+                                   88     `8ba,  ,ad8'  Y8,     a88
+                                   88       "Y8888P"     "Y888888P'
+
+88888888888                       88           88           88           88
+88                                88           ""           88           88
+88                                88                        88           88
+88aaaaa   ,adPPYba,   8b,dPPYba,  88,dPPYba,   88   ,adPPYb,88   ,adPPYb,88   ,adPPYba,  8b,dPPYba,
+88"""""  a8"     "8a  88P'   "Y8  88P'    "8a  88  a8"    `Y88  a8"    `Y88  a8P_____88  88P'   `"8a
+88       8b       d8  88          88       d8  88  8b       88  8b       88  8PP"""""""  88       88
+88       "8a,   ,a8"  88          88b,   ,a8"  88  "8a,   ,d88  "8a,   ,d88  "8b,   ,aa  88       88
+88        `"YbbdP"'   88          8Y"Ybbd8"'   88   `"8bbdP"Y8   `"8bbdP"Y8   `"Ybbd8"'  88       88
+</pre>
+</div>
+
+<body>
+
+</html>