Add basic access controls to modules/rest_api.py

author: jesopo 2018-11-10 21:54:08 +0000
committer: jesopo 2018-11-10 21:54:08 +0000
commit: 07c813cc1f81b0f1d29536ea0a0fffd40e39ab49 (patch)
tree: 25500a06eb7e19b9142c24baf33ded7dc917aac8 /modules
parent: Remove unneeded string literal for `resume` CAP (diff)
1 files changed, 5 insertions, 4 deletions
diff --git a/modules/rest_api.py b/modules/rest_api.py
index 0ea1616e..b3fcca00 100644
--- a/modules/rest_api.py
+++ b/modules/rest_api.py
@@ -23,10 +23,9 @@ class Handler(http.server.BaseHTTPRequestHandler):
             hook = hooks[0]
             authenticated = hook.get_kwarg("authenticated", True)
             key = params.get("key", None)
-            if authenticated and (not key or not _bot.get_setting(
-                    "api-key-%s" % key, False)):
-                code = 401
-            else:
+            permissions = _bot.get_setting("api-key-%s" % key, [])
+
+            if not authenticated or path in permimssions or "*" in permissions:
                 if path.startswith("/api/"):
                     event_response = None
                     try:
@@ -42,6 +41,8 @@ class Handler(http.server.BaseHTTPRequestHandler):
                         response = json.dumps(event_response,
                             sort_keys=True, indent=4)
                         code = 200
+            else:
+                code = 401
 
         self.send_response(code)
         self.send_header("Content-type", "application/json")
author	jesopo	2018-11-10 21:54:08 +0000
committer	jesopo	2018-11-10 21:54:08 +0000
commit	07c813cc1f81b0f1d29536ea0a0fffd40e39ab49 (patch)
tree	25500a06eb7e19b9142c24baf33ded7dc917aac8 /modules
parent	Remove unneeded string literal for `resume` CAP (diff)
signature