reworked authorization, now works on api level

author: RaNaN <Mast3rRaNaN@hotmail.de> 2011-09-27 16:24:03 +0200
committer: RaNaN <Mast3rRaNaN@hotmail.de> 2011-09-27 16:24:03 +0200
commit: 5f8a4d25ea9034cadc8ae19a2ffab788f62cc56c (patch)
tree: 9d947797aafb3e9d97dbf10313c5f48f6f3d6198 /module/web/api_app.py
parent: Merge (diff)
download: pyload-5f8a4d25ea9034cadc8ae19a2ffab788f62cc56c.tar.xz
1 files changed, 4 insertions, 2 deletions
diff --git a/module/web/api_app.py b/module/web/api_app.py
index 32b128e6a..156922d6a 100644
--- a/module/web/api_app.py
+++ b/module/web/api_app.py
@@ -14,7 +14,6 @@ from utils import toDict, set_session
 from webinterface import PYLOAD
 
 from module.common.json_layer import json_dumps
-from module.database.UserDatabase import ROLE
 
 try:
     from ast import literal_eval
@@ -46,9 +45,12 @@ def call_api(func, args=""):
     if 'session' in request.POST:
         s = s.get_by_id(request.POST['session'])
 
-    if not s or not s.get("authenticated", False) or s.get("role", -1) != ROLE.ADMIN:
+    if not s or not s.get("authenticated", False):
         return HTTPError(401, json_dumps("Unauthorized"))
 
+    if not PYLOAD.isAuthorized(func, {"role": s["role"], "permission": s["perms"]}):
+        return HTTPError(403, json_dumps("Forbidden"))
+
     args = args.split("/")[1:]
     kwargs = {}
author	RaNaN <Mast3rRaNaN@hotmail.de>	2011-09-27 16:24:03 +0200
committer	RaNaN <Mast3rRaNaN@hotmail.de>	2011-09-27 16:24:03 +0200
commit	5f8a4d25ea9034cadc8ae19a2ffab788f62cc56c (patch)
tree	9d947797aafb3e9d97dbf10313c5f48f6f3d6198 /module/web/api_app.py
parent	Merge (diff)
download	pyload-5f8a4d25ea9034cadc8ae19a2ffab788f62cc56c.tar.xz