Skip to content

Commit

Permalink
Enforce permissions on get device api endpoint
Browse files Browse the repository at this point in the history
Any logged in user could read any device.
  • Loading branch information
lfkeitel committed Feb 6, 2018
1 parent dc769fb commit 525b6fd
Showing 1 changed file with 6 additions and 0 deletions.
6 changes: 6 additions & 0 deletions src/controllers/api/device.go
Expand Up @@ -554,6 +554,7 @@ func (d *Device) EditExpirationHandler(w http.ResponseWriter, r *http.Request, p
}

func (d *Device) GetDeviceHandler(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
sessionUser := models.GetUserFromContext(r)
macParam := p.ByName("mac")

mac, err := net.ParseMAC(macParam)
Expand All @@ -568,6 +569,11 @@ func (d *Device) GetDeviceHandler(w http.ResponseWriter, r *http.Request, p http
return
}

if device.Username != sessionUser.Username && !sessionUser.Can(models.ViewDevices) {
common.NewAPIResponse("Unauthorized", nil).WriteResponse(w, http.StatusUnauthorized)
return
}

if device.ID == 0 {
w.WriteHeader(http.StatusNotFound)
return
Expand Down

0 comments on commit 525b6fd

Please sign in to comment.