reworked authorization, now works on api level

1 files changed, 37 insertions, 4 deletions

diff --git a/module/remote/thriftbackend/Processor.py b/module/remote/thriftbackend/Processor.py
index a8fc94298..a8b87c82c 100644
--- a/module/remote/thriftbackend/Processor.py
+++ b/module/remote/thriftbackend/Processor.py
@@ -12,14 +12,18 @@ class Processor(Pyload.Processor):
         if trans not in self.authenticated:
             self.authenticated[trans] = False
             oldclose = trans.close
+
             def wrap():
                 if self in self.authenticated:
                     del self.authenticated[trans]
                 oldclose()
+
             trans.close = wrap
         authenticated = self.authenticated[trans]
         (name, type, seqid) = iprot.readMessageBegin()
-        if name not in self._processMap or (not authenticated and not name == "login"):
+
+        # unknown method
+        if name not in self._processMap:
             iprot.skip(Pyload.TType.STRUCT)
             iprot.readMessageEnd()
             x = Pyload.TApplicationException(Pyload.TApplicationException.UNKNOWN_METHOD, 'Unknown function %s' % name)
@@ -28,17 +32,46 @@ class Processor(Pyload.Processor):
             oprot.writeMessageEnd()
             oprot.trans.flush()
             return
+
+        # not logged in
+        elif not authenticated and not name == "login":
+            iprot.skip(Pyload.TType.STRUCT)
+            iprot.readMessageEnd()
+            # 20 - Not logged in (in situ declared error code)
+            x = Pyload.TApplicationException(20, 'Not logged in')
+            oprot.writeMessageBegin(name, Pyload.TMessageType.EXCEPTION, seqid)
+            x.write(oprot)
+            oprot.writeMessageEnd()
+            oprot.trans.flush()
+            return
+
         elif not authenticated and name == "login":
             args = Pyload.login_args()
             args.read(iprot)
             iprot.readMessageEnd()
             result = Pyload.login_result()
-            self.authenticated[trans] = self._handler.login(args.username, args.password, trans.remoteaddr[0])
-            result.success = self.authenticated[trans]
+            # api login
+            self.authenticated[trans] = self._handler.checkAuth(args.username, args.password, trans.remoteaddr[0])
+
+            result.success = True if self.authenticated[trans] else False
             oprot.writeMessageBegin("login", Pyload.TMessageType.REPLY, seqid)
             result.write(oprot)
             oprot.writeMessageEnd()
             oprot.trans.flush()
-        else:
+
+        elif self._handler.isAuthorized(name, authenticated):
             self._processMap[name](self, seqid, iprot, oprot)
+
+        else:
+            #no permission
+            iprot.skip(Pyload.TType.STRUCT)
+            iprot.readMessageEnd()
+            # 21 - Not authorized
+            x = Pyload.TApplicationException(21, 'Not authorized')
+            oprot.writeMessageBegin(name, Pyload.TMessageType.EXCEPTION, seqid)
+            x.write(oprot)
+            oprot.writeMessageEnd()
+            oprot.trans.flush()
+            return
+
         return True