Fixed permissions on uploading custom mesh core.

2021-02-04 13:44:40 -08:00 · 2021-02-04 13:44:40 -08:00 · 9ed135e08c
parent 7a34e8c169
commit 9ed135e08c
1 changed files with 17 additions and 12 deletions
--- a/webserver.js
+++ b/webserver.js
@ -3317,12 +3317,16 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
                if ((loginCookie != null) && (domain.id == loginCookie.domainid)) { authUserid = loginCookie.userid; } // Use cookie authentication
            }
            if (authUserid == null) { res.sendStatus(401); return; }
+            if ((fields == null) || (fields.attrib == null) || (fields.attrib.length != 1)) { res.sendStatus(404); return; }

            // Get the user
            const user = obj.users[authUserid];
-            if (user.siteadmin != 0xFFFFFFFF) { res.sendStatus(401); return; } // Check if we have mesh core upload rights (Full admin only)
+            if (user == null) { res.sendStatus(401); return; } // Check this user exists

-            if ((fields == null) || (fields.attrib == null) || (fields.attrib.length != 1)) { res.sendStatus(404); return; }
+            // Get the node and check node rights
+            const nodeid = fields.attrib[0];
+            obj.GetNodeWithRights(domain, user, nodeid, function (node, rights, visible) {
+                if ((node == null) || (rights != 0xFFFFFFFF) || (visible == false)) { res.sendStatus(404); return; } // We don't have remote control rights to this device
                for (var i in files.files) {
                    var file = files.files[i];
                    obj.fs.readFile(file.path, 'utf8', function (err, data) {
@ -3334,6 +3338,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
                }
                res.send('');
            });
+        });
    }

    // Upload a file to the server