Security check when posting task config

2024-08-30 18:23:09 +00:00 · 2024-05-26 18:37:20 -04:00 · 2024-05-26 18:37:20 -04:00 · b8681c0fce
commit b8681c0fce
parent caf35a6de8
1 changed files with 12 additions and 0 deletions
--- a/app/classes/web/routes/api/servers/server/tasks/index.py
+++ b/app/classes/web/routes/api/servers/server/tasks/index.py
@ -113,6 +113,18 @@ class ApiServersServerTasksIndexHandler(BaseApiHandler):
                )
        if "parent" not in data:
            data["parent"] = None
+        if data.get("action_id"):
+            backup_config = self.controller.management.get_backup_config(
+                data["action_id"]
+            )
+            if backup_config["server_id"]["server_id"] != server_id:
+                return self.finish_json(
+                    405,
+                    {
+                        "status": "error",
+                        "error": "Server ID Mismatch",
+                    },
+                )
        task_id = self.tasks_manager.schedule_job(data)

        self.controller.management.add_to_audit_log(