From: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu, 15 Aug 2019 13:47:05 +0000 (+0100)
Subject: people: Check permissions before listing calls
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d561d9316285d0cc08de350b6fbdb460ff11fd22;p=ipfire.org.git

people: Check permissions before listing calls

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/web/people.py b/src/web/people.py
index cfbeef01..d923ed78 100644
--- a/src/web/people.py
+++ b/src/web/people.py
@@ -66,6 +66,10 @@ class CallsHandler(auth.CacheMixin, base.BaseHandler):
 		if not account:
 			raise tornado.web.HTTPError(404, "Could not find account %s" % uid)
 
+		# Check for permissions
+		if not account.can_be_managed_by(self.current_user):
+			raise tornado.web.HTTPError(403, "%s cannot manage %s" % (self.current_user, account))
+
 		if date:
 			try:
 				date = datetime.datetime.strptime(date, "%Y-%m-%d").date()
@@ -84,6 +88,10 @@ class CallHandler(auth.CacheMixin, base.BaseHandler):
 		if not account:
 			raise tornado.web.HTTPError(404, "Could not find account %s" % uid)
 
+		# Check for permissions
+		if not account.can_be_managed_by(self.current_user):
+			raise tornado.web.HTTPError(403, "%s cannot manage %s" % (self.current_user, account))
+
 		call = self.backend.talk.freeswitch.get_call_by_uuid(uuid)
 		if not call:
 			raise tornado.web.HTTPError(404, "Could not find call %s" % uuid)