Skip to content

/ packet-guardian

Permalink
Browse files

Enforce permissions on get device api endpoint 

Any logged in user could read any device.
  • Loading branch information
@lfkeitel
lfkeitel committed Feb 6, 2018
Verified
This commit was signed with the committer’s verified signature.
lfkeitel Lee Keitel
GPG key ID: 6BF6C6AD2072A8DF Learn about signing commits
1 parent dc769fb commit 525b6fdeb17cab2a3068ccbaa88b9de06c23ad8f
Unified Split
Showing with 6 additions and 0 deletions.
  1. +6 −0 src/controllers/api/device.go
6 src/controllers/api/device.go
View file
@@ -554,6 +554,7 @@ func (d *Device) EditExpirationHandler(w http.ResponseWriter, r *http.Request, p
}

func (d *Device) GetDeviceHandler(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
sessionUser := models.GetUserFromContext(r)
macParam := p.ByName("mac")

mac, err := net.ParseMAC(macParam)
@@ -568,6 +569,11 @@ func (d *Device) GetDeviceHandler(w http.ResponseWriter, r *http.Request, p http
return
}

if device.Username != sessionUser.Username && !sessionUser.Can(models.ViewDevices) {
common.NewAPIResponse("Unauthorized", nil).WriteResponse(w, http.StatusUnauthorized)
return
}

if device.ID == 0 {
w.WriteHeader(http.StatusNotFound)
return

0 comments on commit 525b6fd

Please sign in to comment.