From 07c813cc1f81b0f1d29536ea0a0fffd40e39ab49 Mon Sep 17 00:00:00 2001
From: jesopo
Date: Sat, 10 Nov 2018 21:54:08 +0000
Subject: Add basic access controls to modules/rest_api.py

---
 modules/rest_api.py | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

(limited to 'modules')

diff --git a/modules/rest_api.py b/modules/rest_api.py
index 0ea1616e..b3fcca00 100644
--- a/modules/rest_api.py
+++ b/modules/rest_api.py
@@ -23,10 +23,9 @@ class Handler(http.server.BaseHTTPRequestHandler):
             hook = hooks[0]
             authenticated = hook.get_kwarg("authenticated", True)
             key = params.get("key", None)
-            if authenticated and (not key or not _bot.get_setting(
-                    "api-key-%s" % key, False)):
-                code = 401
-            else:
+            permissions = _bot.get_setting("api-key-%s" % key, [])
+
+            if not authenticated or path in permimssions or "*" in permissions:
                 if path.startswith("/api/"):
                     event_response = None
                     try:
@@ -42,6 +41,8 @@ class Handler(http.server.BaseHTTPRequestHandler):
                         response = json.dumps(event_response,
                             sort_keys=True, indent=4)
                         code = 200
+            else:
+                code = 401
 
         self.send_response(code)
         self.send_header("Content-type", "application/json")
-- 
cgit v1.3.1-10-gc9f91