Skip to content

burp-ui
burp-ui
Verified Commit 0b1cd503 authored by Benjamin "Ziirish" SANS's avatar Benjamin "Ziirish" SANS
Browse files
Options

check ACL against both client and server (fix #313)

parent 60c22730
Hide whitespace changes
Inline Side-by-side
Showing with 7 additions and 6 deletions
burpui/api/settings.py
View file @ 0b1cd503
......@@ -429,14 +429,15 @@ class NewClientSettings(Resource):
)
def put(self, server=None):
"""Creates a new client"""
newclient = self.parser.parse_args()['newclient']
if not newclient:
self.abort(400, 'No client name provided')
if not current_user.is_anonymous and \
current_user.acl.is_moderator() and \
not current_user.acl.is_server_rw(server):
not current_user.acl.is_client_rw(newclient, server):
self.abort(403, 'You don\'t have rights on this server')
newclient = self.parser.parse_args()['newclient']
if not newclient:
self.abort(400, 'No client name provided')
parser = bui.client.get_parser(agent=server)
clients = parser.list_clients()
for cl in clients:
......@@ -508,7 +509,7 @@ class ClientSettings(Resource):
"""Saves a given client configuration"""
if not current_user.is_anonymous and \
current_user.acl.is_moderator() and \
not current_user.acl.is_server_rw(server):
not current_user.acl.is_client_rw(client, server):
self.abort(403, 'You don\'t have rights on this server')
args = self.parser_post.parse_args()
......@@ -599,7 +600,7 @@ class ClientSettings(Resource):
"""Deletes a given client"""
if not current_user.is_anonymous and \
current_user.acl.is_moderator() and \
not current_user.acl.is_server_rw(server):
not current_user.acl.is_client_rw(client, server):
self.abort(403, 'You don\'t have rights on this server')
args = self.parser_delete.parse_args()
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment