Added method to SimpleApiPlugins to allow locking API to only admins

2015-04-21 19:31:00 +02:00 · 2015-04-21 19:31:00 +02:00 · 3f272b209d
commit 3f272b209d
parent edd6acc012
2 changed files with 12 additions and 1 deletions
--- a/src/octoprint/plugin/types.py
+++ b/src/octoprint/plugin/types.py
@ -469,7 +469,6 @@ class SimpleApiPlugin(OctoPrintPlugin):

 	   __plugin_implementation__ = MySimpleApiPlugin()

-
 	Our plugin defines two commands, ``command1`` with no mandatory parameters and ``command2`` with one
 	mandatory parameter ``some_parameter``.

@ -520,6 +519,12 @@ class SimpleApiPlugin(OctoPrintPlugin):
 		"""
 		return None

+	def is_api_adminonly(self):
+		"""
+		Return True if the API is only available to users having the admin role.
+		"""
+		return False
+
 	def on_api_command(self, command, data):
 		"""
 		Called by OctoPrint upon a POST request to ``/api/plugin/<plugin identifier>``. ``command`` will contain one of
--- a/src/octoprint/server/api/init.py
+++ b/src/octoprint/server/api/init.py
@ -56,6 +56,9 @@ def pluginData(name):
 		return make_response("More than one api provider registered for {name}, can't proceed".format(name=name), 500)

 	api_plugin = api_plugins[0]
+	if api_plugin.is_api_adminonly() and not current_user.is_admin():
+		return make_response("Forbidden", 403)
+
 	response = api_plugin.on_api_get(request)

 	if response is not None:
@ -80,6 +83,9 @@ def pluginCommand(name):
 	if valid_commands is None:
 		return make_response("Method not allowed", 405)

+	if api_plugin.is_api_adminonly() and not current_user.is_admin():
+		return make_response("Forbidden", 403)
+
 	command, data, response = get_json_command_from_request(request, valid_commands)
 	if response is not None:
 		return response