From ed2a50f4ae0bc91e023846bf8bc39071338c4318 Mon Sep 17 00:00:00 2001 From: Pliable Pixels Date: Sat, 23 Jan 2021 16:18:40 -0500 Subject: [PATCH] add permission check --- web/api/app/Controller/HostController.php | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/web/api/app/Controller/HostController.php b/web/api/app/Controller/HostController.php index db1a673c5..b16920004 100644 --- a/web/api/app/Controller/HostController.php +++ b/web/api/app/Controller/HostController.php @@ -23,7 +23,20 @@ class HostController extends AppController { // an interface to individually control the various ZM daemons // invocation: https://server/zm/api/host/daemonControl/.pl/.json + // note that this API is only for interaction with a specific + // daemon. zmdc also allows other functions like logrot/etc public function daemonControl($daemon_name, $command) { + global $user; + if ($command == 'check' || $command == 'status') { + $permission = 'View'; + } else { + $permission = 'Edit'; + } + $allowed = (!$user) || ($user['System'] == $permission ); + if ( !$allowed ) { + throw new UnauthorizedException(__("Insufficient privileges")); + return; + } $string = ZM_PATH_BIN."/zmdc.pl $command $daemon_name"; $result = exec($string); $this->set(array(