api/__init__.py

@@ -53,9 +53,16 @@ def create_app():
 
     @app.route('/presentation/<string:presentation>', methods=['DELETE'])
     def delete_presentation(presentation):
+        data = request.get_json()
+        if not data['auth'] or not _valid_credential(data['auth']):
+           return Response(response="Use correct credentials to access this endpoint", status=401)
+           
         shutil.rmtree(os.path.join(storagedir, presentation))
         return Response(response='Deleted {}'.format(presentation))
 
+    def _valid_credential(pw):
+        return config['api']['password'] == pw
+
     @app.route('/presentation/<string:presentation>/<path:path>')
     def serve_file(presentation, path):
         realpath = safe_join(storagedir, os.path.join(presentation, path))
@@ -115,7 +122,7 @@ def create_app():
     @app.route('/status/daemon')
     def daemon_status():
         running = False
-        if daemon_detect.is_running():
+        if api.daemon_detect.is_running():
             running = True
         return Response(response=json.dumps({'running': running}),
                         content_type='application/json')

config.ini.example

@@ -2,6 +2,7 @@
 permission_url = https://example.com/perm
 cache_seconds = 30
 log_level = DEBUG
+password = dummy
 
 [db]
 database = somedatabase