From e6a81239390d9807297cfdd69b94534d7cdd49bc Mon Sep 17 00:00:00 2001 From: Martijn Voncken Date: Sat, 12 Jul 2008 06:49:13 +0000 Subject: [PATCH] check session in json api --- deluge/ui/webui/json_api.py | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/deluge/ui/webui/json_api.py b/deluge/ui/webui/json_api.py index 6a30bf7a1..a7b5dac68 100644 --- a/deluge/ui/webui/json_api.py +++ b/deluge/ui/webui/json_api.py @@ -43,12 +43,16 @@ design: from traceback import format_exc import web from web import webapi +import page_decorators as deco +from web import cookies, setcookie as w_setcookie +import utils from deluge.ui.client import sclient,aclient from deluge.log import LOG as log from deluge import component from utils import dict_cb from lib import json + class json_rpc: """ == Full client api == @@ -59,9 +63,18 @@ class json_rpc: def GET(self): print '{"error":"only POST is supported"}' - #security bug: does not check session!! - def POST(self): - web.header("Content-Type", "application/x-json") + + def POST(self , name=None): + ck = cookies() + if not(ck.has_key("session_id") and ck["session_id"] in utils.SESSIONS): + print """{"error":{ + "number":1, + "message":"not authenticated" + "error":"not authenticated" + } + } + """ + return id = 0 try: log.debug("json-data:")