diff options
Diffstat (limited to 'module/web/api_app.py')
| -rw-r--r-- | module/web/api_app.py | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/module/web/api_app.py b/module/web/api_app.py index 32b128e6a..156922d6a 100644 --- a/module/web/api_app.py +++ b/module/web/api_app.py @@ -14,7 +14,6 @@ from utils import toDict, set_session from webinterface import PYLOAD from module.common.json_layer import json_dumps -from module.database.UserDatabase import ROLE try: from ast import literal_eval @@ -46,9 +45,12 @@ def call_api(func, args=""): if 'session' in request.POST: s = s.get_by_id(request.POST['session']) - if not s or not s.get("authenticated", False) or s.get("role", -1) != ROLE.ADMIN: + if not s or not s.get("authenticated", False): return HTTPError(401, json_dumps("Unauthorized")) + if not PYLOAD.isAuthorized(func, {"role": s["role"], "permission": s["perms"]}): + return HTTPError(403, json_dumps("Forbidden")) + args = args.split("/")[1:] kwargs = {} |