From e6a2655d312aa122eafea9b1d503a1ecda077d23 Mon Sep 17 00:00:00 2001 From: Terrtia Date: Tue, 23 Feb 2021 15:28:15 +0100 Subject: [PATCH] fix: [API ACL] avoid user_no_api users to access the API --- var/www/modules/restApi/Flask_restApi.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/var/www/modules/restApi/Flask_restApi.py b/var/www/modules/restApi/Flask_restApi.py index 8e1db66a..8e96bf67 100644 --- a/var/www/modules/restApi/Flask_restApi.py +++ b/var/www/modules/restApi/Flask_restApi.py @@ -68,6 +68,10 @@ def get_user_from_token(token): return r_serv_db.hget('user:tokens', token) def verify_user_role(role, token): + # User without API + if role == 'user_no_api': + return False + user_id = get_user_from_token(token) if user_id: if is_in_role(user_id, role):