Permalink
Browse files

Enforce permissions on get device api endpoint

Any logged in user could read any device.
  • Loading branch information...
lfkeitel committed Feb 6, 2018
1 parent dc769fb commit 525b6fdeb17cab2a3068ccbaa88b9de06c23ad8f
Showing with 6 additions and 0 deletions.
  1. +6 −0 src/controllers/api/device.go
@@ -554,6 +554,7 @@ func (d *Device) EditExpirationHandler(w http.ResponseWriter, r *http.Request, p
}
func (d *Device) GetDeviceHandler(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
sessionUser := models.GetUserFromContext(r)
macParam := p.ByName("mac")
mac, err := net.ParseMAC(macParam)
@@ -568,6 +569,11 @@ func (d *Device) GetDeviceHandler(w http.ResponseWriter, r *http.Request, p http
return
}
if device.Username != sessionUser.Username && !sessionUser.Can(models.ViewDevices) {
common.NewAPIResponse("Unauthorized", nil).WriteResponse(w, http.StatusUnauthorized)
return
}
if device.ID == 0 {
w.WriteHeader(http.StatusNotFound)
return

0 comments on commit 525b6fd

Please sign in to comment.