Merged revisions 316663 via svnmerge from
authorSean Bright <sean@malleable.com>
Wed, 4 May 2011 14:40:08 +0000 (14:40 +0000)
committerSean Bright <sean@malleable.com>
Wed, 4 May 2011 14:40:08 +0000 (14:40 +0000)
https://origsvn.digium.com/svn/asterisk/branches/1.8

........
  r316663 | seanbright | 2011-05-04 10:35:05 -0400 (Wed, 04 May 2011) | 8 lines

  Only return a single error via AMI when requesting a forbidden action.

  (closes issue #19216)
  Reported by: oej
  Patches:
        issue19216-1.8-r316204.patch uploaded by seanbright (license 71)
  Tested by: seanbright
........

git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@316664 65c4cc65-6c06-0410-ace0-fbb531ad65f3

main/manager.c

index d3c3074..9b8c965 100644 (file)
@@ -4497,18 +4497,25 @@ static int process_message(struct mansession *s, const struct message *m)
                }
                if (s->session->writeperm & tmp->authority || tmp->authority == 0) {
                        call_func = tmp->func;
-               } else {
-                       astman_send_error(s, m, "Permission denied");
-                       report_req_not_allowed(s, action);
                }
                break;
        }
        AST_RWLIST_UNLOCK(&actions);
 
-       if (tmp && call_func) {
-               /* call AMI function after actions list are unlocked */
-               ast_debug(1, "Running action '%s'\n", tmp->action);
-               ret = call_func(s, m);
+       if (tmp) {
+               if (call_func) {
+                       /* Call our AMI function after we unlock our actions lists */
+                       ast_debug(1, "Running action '%s'\n", tmp->action);
+                       ret = call_func(s, m);
+               } else {
+                       /* If we found our action but don't have a function pointer, access
+                        * was denied, so bail out.
+                        */
+                       report_req_not_allowed(s, action);
+                       mansession_lock(s);
+                       astman_send_error(s, m, "Permission denied");
+                       mansession_unlock(s);
+               }
        } else {
                char buf[512];
                if (!tmp) {