From bb3cba35c378d34b5518f2a42cbbd11458cf5f7e Mon Sep 17 00:00:00 2001 From: Ylian Saint-Hilaire Date: Mon, 25 Jan 2021 00:22:01 -0800 Subject: [PATCH] Fixed access control checking. --- webserver.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/webserver.js b/webserver.js index a8e0b51a..a2e0373f 100644 --- a/webserver.js +++ b/webserver.js @@ -6010,13 +6010,13 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { if (i.startsWith('mesh/')) { // Grant access to a device group thru a direct link const m = obj.meshes[i]; - if ((m) && (m.deleted == null) && ((rights == null) || ((m.rights & rights) != 0))) { + if ((m) && (m.deleted == null) && ((rights == null) || ((user.links[i].rights & rights) != 0))) { if (r.indexOf(m) == -1) { r.push(m); } } } else if (i.startsWith('ugrp/')) { // Grant access to a device group thru a user group const g = obj.userGroups[i]; - if (g && (g.links != null) && ((rights == null) || ((g.rights & rights) != 0))) { + if (g && (g.links != null) && ((rights == null) || ((user.links[i].rights & rights) != 0))) { for (var j in g.links) { if (j.startsWith('mesh/')) { const m = obj.meshes[j]; @@ -6047,13 +6047,13 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) { if (i.startsWith('mesh/')) { // Grant access to a device group thru a direct link const m = obj.meshes[i]; - if ((m) && (m.deleted == null) && ((rights == null) || ((m.rights & rights) != 0))) { + if ((m) && (m.deleted == null) && ((rights == null) || ((user.links[i].rights & rights) != 0))) { if (r.indexOf(m._id) == -1) { r.push(m._id); } } } else if (i.startsWith('ugrp/')) { // Grant access to a device group thru a user group const g = obj.userGroups[i]; - if (g && (g.links != null) && ((rights == null) || ((g.rights & rights) != 0))) { + if (g && (g.links != null) && ((rights == null) || ((user.links[i].rights & rights) != 0))) { for (var j in g.links) { if (j.startsWith('mesh/')) { const m = obj.meshes[j];