From 8f4b707d4c980f970f51866df81f2d5255aec62e Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <daniel@firewall-services.com>
Date: Sun, 18 Jan 2015 18:45:48 +0100
Subject: [PATCH] Fix API authorization checks

---
 vroom.pl | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/vroom.pl b/vroom.pl
index 9ec7716..b42cffe 100755
--- a/vroom.pl
+++ b/vroom.pl
@@ -911,6 +911,7 @@ helper key_can_do_this => sub {
     return 0;
   }
   my $key = $self->get_key_by_token($data->{token});
+  my $room = $self->get_room_by_name($data->{param}->{room});
   if (!$key){
     $self->app->log->debug("Invalid API key");
     return 0;
@@ -921,20 +922,21 @@ helper key_can_do_this => sub {
     return 1;
   }
   # Global actions can only be performed by admin keys
-  if (!$key->{admin} && !$data->{param}->{room}){
-    $self->app->log->debug("Non admin API Key doesn't allow global actions");
+  if (!$room){
+    $self->app->log->debug("Invalid room ID");
     return 0;
   }
-  
+
   # Now, lookup the DB the role of this key for this room
   my $sth = eval {
-    $self->db->prepare('SELECT role
+    $self->db->prepare('SELECT `role`
                           FROM `room_keys`
                           LEFT JOIN `rooms` ON `room_keys`.`room_id`=`rooms`.`id`
                           WHERE `room_keys`.`key_id`=?
+                            AND `room_keys`.`room_id`=?
                           LIMIT 1');
   };
-  $sth->execute($key->{id});
+  $sth->execute($key->{id},$room->{id});
   $sth->bind_columns(\$key->{role});
   $sth->fetch;
   my $actions = API_ACTIONS;