Fix API Permissions for Session Key

2022-11-28 15:54:27 -08:00 · 2022-11-28 15:54:27 -08:00 · 83d9a52a94
parent f621e85f34
commit 83d9a52a94
2 changed files with 10 additions and 8 deletions
--- a/libs/auth.js
+++ b/libs/auth.js
@ -99,12 +99,13 @@ module.exports = function(s,config,lang){
            }else{
                getUserBySessionKey(params,function(err,user){
                    if(user){
-                        isSessionKey = true
-                        createSession(apiKey,{
+                        createSession(user,{
+                            auth: params.auth,
                            details: JSON.parse(user.details),
+                            isSessionKey: true,
                            permissions: {}
                        })
-                        callback(err,user,isSessionKey)
+                        callback(err,user,true)
                    }
                })
            }
@ -122,7 +123,7 @@ module.exports = function(s,config,lang){
            }
            user.details = s.parseJSON(user.details)
            user.permissions = {}
-            s.api[generatedId] = Object.assign(user,additionalData)
+            s.api[generatedId] = Object.assign({},user,additionalData)
            return generatedId
        }
    }
@ -204,9 +205,9 @@ module.exports = function(s,config,lang){
            })
        }else if(params.auth && params.ke){
            loginWithApiKey(params,function(err,user,isSessionKey){
-                if(isSessionKey)resetActiveSessionTimer(user)
+                if(isSessionKey)resetActiveSessionTimer(s.api[params.auth])
                if(user){
-                    onSuccess(user)
+                    onSuccess(s.api[params.auth])
                }else{
                    onFail()
                }
--- a/libs/monitor.js
+++ b/libs/monitor.js
@ -1839,6 +1839,7 @@ module.exports = function(s,config,lang){
        // provide "user" object given from "s.auth"
        const isSubAccount = !!user.details.sub
        const isApiKey = !user.login_type;
+        const isSessionKey = user.isSessionKey;
        const response = {
            isSubAccount,
            hasAllPermissions: isSubAccount && user.details.allmonitors === '1',
@ -1859,8 +1860,8 @@ module.exports = function(s,config,lang){
            'watch_videos',
            'delete_videos',
        ].forEach((key) => {
-            const permissionOff = isApiKey && permissions[key] !== '1';
-            response.apiKeyPermissions[key] = permissions[key] === '1';
+            const permissionOff = !isSessionKey && isApiKey && permissions[key] !== '1';
+            response.apiKeyPermissions[key] = isSessionKey || permissions[key] === '1';
            response.apiKeyPermissions[`${key}_disallowed`] = permissionOff;
            response.isRestrictedApiKey = response.isRestrictedApiKey || permissionOff;
        });