http: apply channel check to ticket and credentials

Before, if the ticket denied channel access, credentials couldn't be used to override. Signed-off-by: Sven Wegener <sven.wegener@stealer.net>
tvheadend · Nov 10, 2015 · 1a1d985 · 1a1d985
1 parent 725cab5
commit 1a1d985
Showing 1 changed file with 10 additions and 4 deletions.
diff --git a/src/http.c b/src/http.c
@@ -576,19 +576,25 @@ http_access_verify_channel(http_connection_t *hc, int mask,
   if (ticket)
     http_access_verify_ticket(hc);
 
-  if (hc->hc_access)
+  if (hc->hc_access) {
     res = access_verify2(hc->hc_access, mask);
 
+    if (!res && !channel_access(ch, hc->hc_access, 0))
+      res = -1;
+  }
+
   if (res) {
     access_destroy(hc->hc_access);
     hc->hc_access = access_get(hc->hc_username, hc->hc_password,
                                (struct sockaddr *)hc->hc_peer);
-    if (hc->hc_access)
+    if (hc->hc_access) {
       res = access_verify2(hc->hc_access, mask);
+
+      if (!res && !channel_access(ch, hc->hc_access, 0))
+        res = -1;
+    }
   }
 
-  if (!res && !channel_access(ch, hc->hc_access, 0))
-    res = -1;
 
   return res;
 }