return "403 Forbidden" if authentication token was given, however is invalid

Contributed by T-Labs, Deutsche Telekom Innovation Laboratories

Signed-off-by: Mirko Vogt <mirko@openwrt.org>

diff --git a/modules/rpc/luasrc/controller/rpc.lua b/modules/rpc/luasrc/controller/rpc.lua
index 7255c17..6b09116 100644 (file)
--- a/modules/rpc/luasrc/controller/rpc.lua
+++ b/modules/rpc/luasrc/controller/rpc.lua
@@ -24,11 +24,13 @@ module "luci.controller.rpc"
 function index()
        local function authenticator(validator, accs)
                local auth = luci.http.formvalue("auth", true)
 function index()
        local function authenticator(validator, accs)
                local auth = luci.http.formvalue("auth", true)

-               if auth then
+               if auth then -- if authentication token was given

                        local sdat = luci.sauth.read(auth)
                        local sdat = luci.sauth.read(auth)

-                       user = loadstring(sdat)().user
-                       if user and luci.util.contains(accs, user) then
-                               return user, auth
+                       if sdat then -- if given token is valid
+                               user = loadstring(sdat)().user
+                               if user and luci.util.contains(accs, user) then
+                                       return user, auth
+                               end

                        end
                end
                luci.http.status(403, "Forbidden")
                        end
                end
                luci.http.status(403, "Forbidden")