Restrict getClients API to clients with 'manage' flag

b535df56 · Rajmund Hruška · 47d3e026 · b535df56
Commit b535df56 authored Mar 8, 2023 by Rajmund Hruška
--- a/warden_server/warden_server.py
+++ b/warden_server/warden_server.py
@@ -305,6 +305,12 @@ class PlainAuthenticator(ObjectBase):
                return None
            return client
+        if method.manage:
+            if not client.manage:
+                self.log.info("authorize: failed, client does not have manage enabled")
+                return None
+            return client
        if method.read:
            if not client.read:
                self.log.info("authorize: failed, client does not have read enabled")
@@ -1431,13 +1437,14 @@ class PostgreSQL(DataBase):
        return ["DELETE FROM events WHERE id <= %s"], [(id_,)], 0
-def expose(read=True, write=False, debug=False):
+def expose(read=True, write=False, debug=False, manage=False):
    def expose_deco(meth):
        meth.exposed = True
        meth.read = read
        meth.write = write
        meth.debug = debug
+        meth.manage = manage
        if not hasattr(meth, "arguments"):
            meth.arguments = get_method_params(meth)
        return meth
@@ -1630,7 +1637,7 @@ class WardenHandler(ObjectBase):
            info["description"] = self.description
        return info
-    @expose(read=True)
+    @expose(manage=True)
    @json_wrapper
    def getClients(self):
        clients = self.db.get_clients()