From 3f272b209d645f5dfa9ed21eec0c0f9104f58002 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gina=20H=C3=A4u=C3=9Fge?= Date: Tue, 21 Apr 2015 19:31:00 +0200 Subject: [PATCH] Added method to SimpleApiPlugins to allow locking API to only admins --- src/octoprint/plugin/types.py | 7 ++++++- src/octoprint/server/api/__init__.py | 6 ++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/src/octoprint/plugin/types.py b/src/octoprint/plugin/types.py index d49571e7..6349781c 100644 --- a/src/octoprint/plugin/types.py +++ b/src/octoprint/plugin/types.py @@ -469,7 +469,6 @@ class SimpleApiPlugin(OctoPrintPlugin): __plugin_implementation__ = MySimpleApiPlugin() - Our plugin defines two commands, ``command1`` with no mandatory parameters and ``command2`` with one mandatory parameter ``some_parameter``. @@ -520,6 +519,12 @@ class SimpleApiPlugin(OctoPrintPlugin): """ return None + def is_api_adminonly(self): + """ + Return True if the API is only available to users having the admin role. + """ + return False + def on_api_command(self, command, data): """ Called by OctoPrint upon a POST request to ``/api/plugin/``. ``command`` will contain one of diff --git a/src/octoprint/server/api/__init__.py b/src/octoprint/server/api/__init__.py index 431d8346..056319bb 100644 --- a/src/octoprint/server/api/__init__.py +++ b/src/octoprint/server/api/__init__.py @@ -56,6 +56,9 @@ def pluginData(name): return make_response("More than one api provider registered for {name}, can't proceed".format(name=name), 500) api_plugin = api_plugins[0] + if api_plugin.is_api_adminonly() and not current_user.is_admin(): + return make_response("Forbidden", 403) + response = api_plugin.on_api_get(request) if response is not None: @@ -80,6 +83,9 @@ def pluginCommand(name): if valid_commands is None: return make_response("Method not allowed", 405) + if api_plugin.is_api_adminonly() and not current_user.is_admin(): + return make_response("Forbidden", 403) + command, data, response = get_json_command_from_request(request, valid_commands) if response is not None: return response