Add an in-memory superusermanager, which stores the current list of superusers in a process-shared Value. We do this because in the ER, when we add a new superuser, we need to ensure that ALL workers have their lists updated (otherwise we get the behavior that some workers validate the new permission and others do not).

endpoints/api/superuser.py

@@ -4,7 +4,7 @@ import json
 import os
 
 from random import SystemRandom
-from app import app, avatar
+from app import app, avatar, superusers
 from flask import request
 
 from endpoints.api import (ApiResource, nickname, resource, validate_json_request, request_error,
@@ -109,7 +109,7 @@ def user_view(user):
     'email': user.email,
     'verified': user.verified,
     'avatar': avatar.compute_hash(user.email, name=user.username),
-    'super_user': user.username in app.config['SUPER_USERS']
+    'super_user': superusers.is_superuser(user.username)
   }
 
 @resource('/v1/superuser/usage/')
@@ -217,7 +217,7 @@ class SuperUserSendRecoveryEmail(ApiResource):
       if not user or user.organization or user.robot:
         abort(404)
 
-      if username in app.config['SUPER_USERS']:
+      if superusers.is_superuser(username):
           abort(403)
 
       code = model.create_reset_password_email_code(user.email)
@@ -277,7 +277,7 @@ class SuperUserManagement(ApiResource):
       if not user or user.organization or user.robot:
         abort(404)
 
-      if username in app.config['SUPER_USERS']:
+      if superusers.is_superuser(username):
           abort(403)
 
       model.delete_user(user)
@@ -296,7 +296,7 @@ class SuperUserManagement(ApiResource):
         if not user or user.organization or user.robot:
           abort(404)
 
-        if username in app.config['SUPER_USERS']:
+        if superusers.is_superuser(username):
           abort(403)
 
         user_data = request.get_json()