Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Enforce permissions on get device api endpoint
Any logged in user could read any device.
- Loading branch information
Showing
with
6 additions
and
0 deletions.
-
+6
−0
src/controllers/api/device.go
|
@@ -554,6 +554,7 @@ func (d *Device) EditExpirationHandler(w http.ResponseWriter, r *http.Request, p |
|
|
} |
|
|
|
|
|
func (d *Device) GetDeviceHandler(w http.ResponseWriter, r *http.Request, p httprouter.Params) { |
|
|
sessionUser := models.GetUserFromContext(r) |
|
|
macParam := p.ByName("mac") |
|
|
|
|
|
mac, err := net.ParseMAC(macParam) |
|
@@ -568,6 +569,11 @@ func (d *Device) GetDeviceHandler(w http.ResponseWriter, r *http.Request, p http |
|
|
return |
|
|
} |
|
|
|
|
|
if device.Username != sessionUser.Username && !sessionUser.Can(models.ViewDevices) { |
|
|
common.NewAPIResponse("Unauthorized", nil).WriteResponse(w, http.StatusUnauthorized) |
|
|
return |
|
|
} |
|
|
|
|
|
if device.ID == 0 { |
|
|
w.WriteHeader(http.StatusNotFound) |
|
|
return |
|
|