indymedia
/
epicyon
mirror of https://gitlab.com/bashrc2/epicyon
7
4
Fork 1
Code Issues 14 Releases Wiki Activity

Check for system accounts during authorization

merge-requests/30/head
Bob Mottram 2020-11-23 09:39:09 +00:00
parent 88cc48480f
commit eb44a66066
1 changed files with 16 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
daemon.py
View File

@ -1120,21 +1120,22 @@ class PubServer(BaseHTTPRequestHandler):
tokenStr = tokenStr.split(';')[0].strip() tokenStr = tokenStr.split(';')[0].strip()
if self.server.tokensLookup.get(tokenStr): if self.server.tokensLookup.get(tokenStr):
nickname = self.server.tokensLookup[tokenStr] nickname = self.server.tokensLookup[tokenStr]
self.authorizedNickname = nickname if not isSystemAccount(nickname):
# default to the inbox of the person self.authorizedNickname = nickname
if self.path == '/': # default to the inbox of the person
self.path = '/users/' + nickname + '/inbox' if self.path == '/':
# check that the path contains the same nickname self.path = '/users/' + nickname + '/inbox'
# as the cookie otherwise it would be possible # check that the path contains the same nickname
# to be authorized to use an account you don't own # as the cookie otherwise it would be possible
if '/' + nickname + '/' in self.path: # to be authorized to use an account you don't own
return True if '/' + nickname + '/' in self.path:
elif '/' + nickname + '?' in self.path: return True
return True elif '/' + nickname + '?' in self.path:
elif self.path.endswith('/' + nickname): return True
return True elif self.path.endswith('/' + nickname):
print('AUTH: nickname ' + nickname + return True
' was not found in path ' + self.path) print('AUTH: nickname ' + nickname +
' was not found in path ' + self.path)
return False return False
print('AUTH: epicyon cookie ' + print('AUTH: epicyon cookie ' +
'authorization failed, header=' + 'authorization failed, header=' +