Commit 1b1e15b5 authored by Lukas Burgey's avatar Lukas Burgey
Browse files

Fix an authorization check

parent 18d9ea05
......@@ -185,26 +185,34 @@ def topic_endpoint_webpageclient(request, webpage_client_userid):
name = request.POST.get('name', '')
routing_key = request.POST.get('routing_key', '')
if (
routing_key == webpage_client_userid
and not 'write' in permission
):
if CLIENT_DEBUGGING:
LOGGER.debug(
'[auth:topic_endpoint] Granted %s access to %s %s to client',
permission,
resource,
routing_key,
)
try:
models.User.objects.get(id=webpage_client_userid)
if not 'write' in permission:
if CLIENT_DEBUGGING:
LOGGER.debug(
'[auth:topic_endpoint] Granted %s access to %s %s to client',
permission,
resource,
routing_key,
)
return ALLOW
LOGGER.error(
'[auth:topic_endpoint_webpageclient] Auth check for resource %s %s %s for client failed',
resource,
name,
routing_key,
)
return DENY
LOGGER.error(
'[auth:topic_endpoint_webpageclient] Auth check for resource %s %s %s for client failed: write permission requested',
resource,
name,
routing_key,
)
return DENY
except models.User.DoesNotExist:
LOGGER.error(
'[auth:topic_endpoint_webpageclient] Auth check for resource %s %s %s for client failed',
resource,
name,
routing_key,
)
return DENY
def topic_endpoint_apiclient(request, apiclient):
name = request.POST.get('name', '')
......@@ -257,7 +265,7 @@ def topic_endpoint(request):
return DENY
webpage_client_userid = _webpage_client_userid(request)
if webpage_client_userid:
if webpage_client_userid != '':
return topic_endpoint_webpageclient(request, webpage_client_userid)
apiclient = _apiclient_get(request)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment