Permalink
Browse files
Enforce permissions on get device api endpoint
Any logged in user could read any device.
- Loading branch information...
Showing
with
6 additions
and
0 deletions.
-
+6
−0
src/controllers/api/device.go
|
|
@@ -554,6 +554,7 @@ func (d *Device) EditExpirationHandler(w http.ResponseWriter, r *http.Request, p |
|
|
}
|
|
|
|
|
|
func (d *Device) GetDeviceHandler(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
|
|
|
sessionUser := models.GetUserFromContext(r)
|
|
|
macParam := p.ByName("mac")
|
|
|
|
|
|
mac, err := net.ParseMAC(macParam)
|
|
|
@@ -568,6 +569,11 @@ func (d *Device) GetDeviceHandler(w http.ResponseWriter, r *http.Request, p http |
|
|
return
|
|
|
}
|
|
|
|
|
|
if device.Username != sessionUser.Username && !sessionUser.Can(models.ViewDevices) {
|
|
|
common.NewAPIResponse("Unauthorized", nil).WriteResponse(w, http.StatusUnauthorized)
|
|
|
return
|
|
|
}
|
|
|
|
|
|
if device.ID == 0 {
|
|
|
w.WriteHeader(http.StatusNotFound)
|
|
|
return
|
|
|
|
0 comments on commit
525b6fd