]> git.ipfire.org Git - ipfire.org.git/commitdiff
projects / ipfire.org.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f105f4c)
people: Check permissions before listing calls
authorMichael Tremer <michael.tremer@ipfire.org>
Thu, 15 Aug 2019 13:47:05 +0000 (14:47 +0100)
committerMichael Tremer <michael.tremer@ipfire.org>
Thu, 15 Aug 2019 13:47:05 +0000 (14:47 +0100)
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
src/web/people.py patch | blob | blame | history

diff --git a/src/web/people.py b/src/web/people.py
index cfbeef01f00630ef1dcd1de61bf28233f574568c..d923ed782fd1b60fb2b72b4a0d9584c31b31f64a 100644 (file)
--- a/src/web/people.py
+++ b/src/web/people.py
@@ -66,6 +66,10 @@ class CallsHandler(auth.CacheMixin, base.BaseHandler):
                if not account:
                        raise tornado.web.HTTPError(404, "Could not find account %s" % uid)
 
+               # Check for permissions
+               if not account.can_be_managed_by(self.current_user):
+                       raise tornado.web.HTTPError(403, "%s cannot manage %s" % (self.current_user, account))
+
                if date:
                        try:
                                date = datetime.datetime.strptime(date, "%Y-%m-%d").date()
@@ -84,6 +88,10 @@ class CallHandler(auth.CacheMixin, base.BaseHandler):
                if not account:
                        raise tornado.web.HTTPError(404, "Could not find account %s" % uid)
 
+               # Check for permissions
+               if not account.can_be_managed_by(self.current_user):
+                       raise tornado.web.HTTPError(403, "%s cannot manage %s" % (self.current_user, account))
+
                call = self.backend.talk.freeswitch.get_call_by_uuid(uuid)
                if not call:
                        raise tornado.web.HTTPError(404, "Could not find call %s" % uuid)
The website of ipfire.org.