HTTP API: add missing access verification for all API calls

tvheadend · Sep 12, 2014 · 33a516b · 33a516b
1 parent 2c7cc8c
commit 33a516b
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/src/api.c b/src/api.c
@@ -84,6 +84,9 @@ api_exec ( access_t *perm, const char *subsystem,
     return ENOSYS; // TODO: is this really the right error code?
   }
 
+  if (access_verify2(perm, ah->hook->ah_access))
+    return EPERM;
+
   /* Extract method */
   op = htsmsg_get_str(args, "method");
   if (!op)