Fix API authorization checks

10 years ago · 8f4b707d4c
parent 1eb8b4f9db
commit 8f4b707d4c
1 changed files with 7 additions and 5 deletions
--- a/vroom.pl
+++ b/vroom.pl
@ -911,6 +911,7 @@ helper key_can_do_this => sub {
    return 0;
  }
  my $key = $self->get_key_by_token($data->{token});
+  my $room = $self->get_room_by_name($data->{param}->{room});
  if (!$key){
    $self->app->log->debug("Invalid API key");
    return 0;
@ -921,20 +922,21 @@ helper key_can_do_this => sub {
    return 1;
  }
  # Global actions can only be performed by admin keys
-  if (!$key->{admin} && !$data->{param}->{room}){
-    $self->app->log->debug("Non admin API Key doesn't allow global actions");
+  if (!$room){
+    $self->app->log->debug("Invalid room ID");
    return 0;
  }
-  
+
  # Now, lookup the DB the role of this key for this room
  my $sth = eval {
-    $self->db->prepare('SELECT role
+    $self->db->prepare('SELECT `role`
                          FROM `room_keys`
                          LEFT JOIN `rooms` ON `room_keys`.`room_id`=`rooms`.`id`
                          WHERE `room_keys`.`key_id`=?
+                            AND `room_keys`.`room_id`=?
                          LIMIT 1');
  };
-  $sth->execute($key->{id});
+  $sth->execute($key->{id},$room->{id});
  $sth->bind_columns(\$key->{role});
  $sth->fetch;
  my $actions = API_ACTIONS;