From 5f8a4d25ea9034cadc8ae19a2ffab788f62cc56c Mon Sep 17 00:00:00 2001
From: RaNaN <Mast3rRaNaN@hotmail.de>
Date: Tue, 27 Sep 2011 16:24:03 +0200
Subject: reworked authorization, now works on api level

---
 module/web/api_app.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'module/web/api_app.py')

diff --git a/module/web/api_app.py b/module/web/api_app.py
index 32b128e6a..156922d6a 100644
--- a/module/web/api_app.py
+++ b/module/web/api_app.py
@@ -14,7 +14,6 @@ from utils import toDict, set_session
 from webinterface import PYLOAD
 
 from module.common.json_layer import json_dumps
-from module.database.UserDatabase import ROLE
 
 try:
     from ast import literal_eval
@@ -46,9 +45,12 @@ def call_api(func, args=""):
     if 'session' in request.POST:
         s = s.get_by_id(request.POST['session'])
 
-    if not s or not s.get("authenticated", False) or s.get("role", -1) != ROLE.ADMIN:
+    if not s or not s.get("authenticated", False):
         return HTTPError(401, json_dumps("Unauthorized"))
 
+    if not PYLOAD.isAuthorized(func, {"role": s["role"], "permission": s["perms"]}):
+        return HTTPError(403, json_dumps("Forbidden"))
+
     args = args.split("/")[1:]
     kwargs = {}
 
-- 
cgit v1.2.3