Fix API authorization checks

master
Daniel Berteaud 10 years ago
parent 1eb8b4f9db
commit 8f4b707d4c
  1. 10
      vroom.pl

@ -911,6 +911,7 @@ helper key_can_do_this => sub {
return 0; return 0;
} }
my $key = $self->get_key_by_token($data->{token}); my $key = $self->get_key_by_token($data->{token});
my $room = $self->get_room_by_name($data->{param}->{room});
if (!$key){ if (!$key){
$self->app->log->debug("Invalid API key"); $self->app->log->debug("Invalid API key");
return 0; return 0;
@ -921,20 +922,21 @@ helper key_can_do_this => sub {
return 1; return 1;
} }
# Global actions can only be performed by admin keys # Global actions can only be performed by admin keys
if (!$key->{admin} && !$data->{param}->{room}){ if (!$room){
$self->app->log->debug("Non admin API Key doesn't allow global actions"); $self->app->log->debug("Invalid room ID");
return 0; return 0;
} }
# Now, lookup the DB the role of this key for this room # Now, lookup the DB the role of this key for this room
my $sth = eval { my $sth = eval {
$self->db->prepare('SELECT role $self->db->prepare('SELECT `role`
FROM `room_keys` FROM `room_keys`
LEFT JOIN `rooms` ON `room_keys`.`room_id`=`rooms`.`id` LEFT JOIN `rooms` ON `room_keys`.`room_id`=`rooms`.`id`
WHERE `room_keys`.`key_id`=? WHERE `room_keys`.`key_id`=?
AND `room_keys`.`room_id`=?
LIMIT 1'); LIMIT 1');
}; };
$sth->execute($key->{id}); $sth->execute($key->{id},$room->{id});
$sth->bind_columns(\$key->{role}); $sth->bind_columns(\$key->{role});
$sth->fetch; $sth->fetch;
my $actions = API_ACTIONS; my $actions = API_ACTIONS;

Loading…
Cancel
Save