1 files changed, 9 insertions, 7 deletions

diff --git a/module/web/api_app.py b/module/web/api_app.py
index df62db18f..4be6e5ab8 100644
--- a/module/web/api_app.py
+++ b/module/web/api_app.py
@@ -7,7 +7,7 @@ from traceback import format_exc, print_exc
 
 from bottle import route, request, response, HTTPError
 
-from utils import set_session
+from utils import set_session, get_user_api
 from webinterface import PYLOAD
 
 from module.common.json_layer import json
@@ -41,10 +41,11 @@ def call_api(func, args=""):
         # removes "' so it works on json strings
         s = s.get_by_id(remove_chars(request.POST['session'], "'\""))
 
-    if not s or not s.get("authenticated", False):
+    api = get_user_api(s)
+    if not api:
         return HTTPError(403, json.dumps("Forbidden"))
 
-    if not PYLOAD.isAuthorized(func, {"role": s["role"], "permission": s["perms"]}):
+    if not PYLOAD.isAuthorized(func, api.user):
         return HTTPError(401, json.dumps("Unauthorized"))
 
     args = args.split("/")[1:]
@@ -81,21 +82,22 @@ def callApi(func, *args, **kwargs):
 def login():
     add_header(response)
 
-    user = request.forms.get("username")
+    username = request.forms.get("username")
     password = request.forms.get("password")
 
-    info = PYLOAD.checkAuth(user, password)
+    user = PYLOAD.checkAuth(username, password)
 
-    if not info:
+    if not user:
         return json.dumps(False)
 
-    s = set_session(request, info)
+    s = set_session(request, user)
 
     # get the session id by dirty way, documentations seems wrong
     try:
         sid = s._headers["cookie_out"].split("=")[1].split(";")[0]
         return json.dumps(sid)
     except:
+        print "Could not get session"
         return json.dumps(True)