moderators should not be allowed to log out admins

dbae3ba7 · Benjamin "Ziirish" SANS · e9c4abef · dbae3ba7
Verified Commit dbae3ba7 authored May 09, 2018 by Benjamin "Ziirish" SANS
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 5 deletions

burpui/api/admin.py burpui/api/admin.py +8 -5

No files found.
--- a/burpui/api/admin.py
+++ b/burpui/api/admin.py
@@ -1739,11 +1739,14 @@ class MySessions(Resource):
        store = session_manager.get_session_by_id(str(id))
        if not store:
            self.abort('Session not found')
-        if store.user != user and \
-                not current_user.is_anonymous and \
-                not current_user.acl.is_admin() and \
-                not current_user.acl.is_moderator():
-            self.abort(403, 'Insufficient permissions')
+        if store.user != user:
+            if not current_user.is_anonymous and \
+                    not current_user.acl.is_admin() and \
+                    not current_user.acl.is_moderator():
+                self.abort(403, 'Insufficient permissions')
+            if current_user.acl.is_moderator() and \
+                    meta_grants.is_admin(store.user):
+                self.abort(403, 'Insufficient permissions')
        if session_manager.invalidate_session_by_id(store.uuid):
            session_manager.delete_session_by_id(store.uuid)
        return [NOTIF_OK, 'Session {} successfully revoked'.format(id)], 201