# HG changeset patch # User Dennis Fink # Date 2015-08-30 15:18:13 # Node ID 270279ad054e930a15f0e4bff2b1082c71c0bf69 # Parent bfe9206037615f2e1b8a126d122bcdde35059eeb Rewrite user checking diff --git a/ennstatus/api/views.py b/ennstatus/api/views.py --- a/ennstatus/api/views.py +++ b/ennstatus/api/views.py @@ -30,10 +30,15 @@ def update(): current_app.logger.error(str(e)) return abort(500) + username = httpauth.username() + try: - if request.remote_addr not in servers[httpauth.username()]['IPS']: - current_app.logger.warn('Unallowed IP %s tried to update data!' - % request.remote_addr) + if request.remote_addr not in servers[username]['IPS']: + current_app.logger.warn( + 'Unallowed IP {} tried to update data!'.format( + request.remote_addr + ) + ) return 'IP not allowed!\n', 403, {'Content-Type': 'text/plain'} except KeyError as e: current_app.logger.error(str(e)) @@ -45,6 +50,18 @@ def update(): current_app.logger.info('No JSON data supplied!') return 'No JSON data supplied!\n', 400, {'Content-Type': 'text/plain'} + try: + if username != data['name'].lower(): + current_app.logger.warn( + 'Unallowed user {} tried to update {}!'.format( + username, data['name'] + ) + ) + return ('You are not allowed to update this server\n', + 403, {'Content-Type': 'text/plain'}) + except KeyError: + return abort(409) + if 'ip' in data: ip = data['ip'] elif 'ip6' in data: