Commit dbae3ba7 authored by Benjamin "Ziirish" SANS's avatar Benjamin "Ziirish" SANS

moderators should not be allowed to log out admins

parent e9c4abef
......@@ -1739,11 +1739,14 @@ class MySessions(Resource):
store = session_manager.get_session_by_id(str(id))
if not store:
self.abort('Session not found')
if store.user != user and \
not current_user.is_anonymous and \
not current_user.acl.is_admin() and \
not current_user.acl.is_moderator():
self.abort(403, 'Insufficient permissions')
if store.user != user:
if not current_user.is_anonymous and \
not current_user.acl.is_admin() and \
not current_user.acl.is_moderator():
self.abort(403, 'Insufficient permissions')
if current_user.acl.is_moderator() and \
meta_grants.is_admin(store.user):
self.abort(403, 'Insufficient permissions')
if session_manager.invalidate_session_by_id(store.uuid):
session_manager.delete_session_by_id(store.uuid)
return [NOTIF_OK, 'Session {} successfully revoked'.format(id)], 201
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment