From 69aa218335330e1e8c623fdc2e5e336b2b78056f Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Tue, 7 Aug 2012 19:11:52 +0000 Subject: [PATCH] return "403 Forbidden" if authentication token was given, however is invalid Contributed by T-Labs, Deutsche Telekom Innovation Laboratories Signed-off-by: Mirko Vogt --- modules/rpc/luasrc/controller/rpc.lua | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/modules/rpc/luasrc/controller/rpc.lua b/modules/rpc/luasrc/controller/rpc.lua index 7255c1780a..6b091163f1 100644 --- a/modules/rpc/luasrc/controller/rpc.lua +++ b/modules/rpc/luasrc/controller/rpc.lua @@ -24,11 +24,13 @@ module "luci.controller.rpc" function index() local function authenticator(validator, accs) local auth = luci.http.formvalue("auth", true) - if auth then + if auth then -- if authentication token was given local sdat = luci.sauth.read(auth) - user = loadstring(sdat)().user - if user and luci.util.contains(accs, user) then - return user, auth + if sdat then -- if given token is valid + user = loadstring(sdat)().user + if user and luci.util.contains(accs, user) then + return user, auth + end end end luci.http.status(403, "Forbidden") -- 2.30.2