From b535df5615c253d61e1a4877cb911560360ec0b6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rajmund=20Hru=C5=A1ka?= <rajmund.hruska@cesnet.cz>
Date: Wed, 8 Mar 2023 14:07:59 +0100
Subject: [PATCH] Restrict getClients API to clients with 'manage' flag

---
 warden_server/warden_server.py | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/warden_server/warden_server.py b/warden_server/warden_server.py
index ffe7ce3..c68e7a1 100755
--- a/warden_server/warden_server.py
+++ b/warden_server/warden_server.py
@@ -305,6 +305,12 @@ class PlainAuthenticator(ObjectBase):
                 return None
             return client
 
+        if method.manage:
+            if not client.manage:
+                self.log.info("authorize: failed, client does not have manage enabled")
+                return None
+            return client
+
         if method.read:
             if not client.read:
                 self.log.info("authorize: failed, client does not have read enabled")
@@ -1431,13 +1437,14 @@ class PostgreSQL(DataBase):
         return ["DELETE FROM events WHERE id <= %s"], [(id_,)], 0
 
 
-def expose(read=True, write=False, debug=False):
+def expose(read=True, write=False, debug=False, manage=False):
 
     def expose_deco(meth):
         meth.exposed = True
         meth.read = read
         meth.write = write
         meth.debug = debug
+        meth.manage = manage
         if not hasattr(meth, "arguments"):
             meth.arguments = get_method_params(meth)
         return meth
@@ -1630,7 +1637,7 @@ class WardenHandler(ObjectBase):
             info["description"] = self.description
         return info
 
-    @expose(read=True)
+    @expose(manage=True)
     @json_wrapper
     def getClients(self):
         clients = self.db.get_clients()
-- 
GitLab