From 63c199a8358196b6c8c6165aa354acf42aeb5316 Mon Sep 17 00:00:00 2001 From: amcmanu3 Date: Sun, 10 Apr 2022 17:30:48 -0400 Subject: [PATCH] Fix bug where any user could see all stats --- app/classes/web/api_handler.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/app/classes/web/api_handler.py b/app/classes/web/api_handler.py index 53194fb2..8a9abedc 100644 --- a/app/classes/web/api_handler.py +++ b/app/classes/web/api_handler.py @@ -95,9 +95,15 @@ class ServersStats(ApiHandler): def get(self): """Get details about all servers""" authenticated = self.authenticate_user() + user_obj = self.controller.users.get_user_by_api_token(self.api_token) if not authenticated: return - raw_stats = self.controller.servers.get_all_servers_stats() + if user_obj["superuser"]: + raw_stats = self.controller.servers.get_all_servers_stats() + else: + raw_stats = self.controller.servers.get_authorized_servers_stats( + user_obj["user_id"] + ) stats = [] for rs in raw_stats: s = {}