From 120f8cecc3833a2955cd4183e8e10dc9ac1b0a1a Mon Sep 17 00:00:00 2001
From: daffyDukk <daniel.forsberg@dsv.su.se>
Date: Wed, 27 Oct 2021 10:57:14 +0200
Subject: [PATCH 1/2] added password check for DELETE method

---
 api/__init__.py    | 9 ++++++++-
 config.ini.example | 1 +
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/api/__init__.py b/api/__init__.py
index 3b4b209..6220e08 100644
--- a/api/__init__.py
+++ b/api/__init__.py
@@ -53,9 +53,16 @@ def create_app():
 
     @app.route('/presentation/<string:presentation>', methods=['DELETE'])
     def delete_presentation(presentation):
+        data = request.get_json()
+        if not data['auth'] or not _valid_credential(data['auth']):
+           return Response(response="Use correct credentials to access this endpoint", status=401)
+           
         shutil.rmtree(os.path.join(storagedir, presentation))
         return Response(response='Deleted {}'.format(presentation))
 
+    def _valid_credential(pw):
+        return config['api']['password'] == pw
+
     @app.route('/presentation/<string:presentation>/<path:path>')
     def serve_file(presentation, path):
         realpath = safe_join(storagedir, os.path.join(presentation, path))
@@ -115,7 +122,7 @@ def create_app():
     @app.route('/status/daemon')
     def daemon_status():
         running = False
-        if daemon_detect.is_running():
+        if api.daemon_detect.is_running():
             running = True
         return Response(response=json.dumps({'running': running}),
                         content_type='application/json')
diff --git a/config.ini.example b/config.ini.example
index bdf7fb0..f4f366a 100644
--- a/config.ini.example
+++ b/config.ini.example
@@ -2,6 +2,7 @@
 permission_url = https://example.com/perm
 cache_seconds = 30
 log_level = DEBUG
+password = dummy
 
 [db]
 database = somedatabase
-- 
2.39.5


From df0294a35be1a0938d2592a6f9daf41a17afad5d Mon Sep 17 00:00:00 2001
From: daffyDukk <daniel.forsberg@dsv.su.se>
Date: Wed, 27 Oct 2021 17:06:21 +0200
Subject: [PATCH 2/2] bug giving 500 internal server error fixed

---
 api/__init__.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api/__init__.py b/api/__init__.py
index 6220e08..2570be9 100644
--- a/api/__init__.py
+++ b/api/__init__.py
@@ -54,7 +54,7 @@ def create_app():
     @app.route('/presentation/<string:presentation>', methods=['DELETE'])
     def delete_presentation(presentation):
         data = request.get_json()
-        if not data['auth'] or not _valid_credential(data['auth']):
+        if not 'auth' in data or not _valid_credential(data['auth']):
            return Response(response="Use correct credentials to access this endpoint", status=401)
            
         shutil.rmtree(os.path.join(storagedir, presentation))
-- 
2.39.5