From 9a2d58adceaa6b1335e48290dda64770812033f7 Mon Sep 17 00:00:00 2001
From: Isaac Connor <isaac@zoneminder.com>
Date: Mon, 29 Oct 2018 11:03:03 -0400
Subject: [PATCH] We don't store all the permissions in the session anymore. 
 We just use the global user object

---
 web/api/app/Controller/MonitorsController.php | 6 ++++--
 web/api/app/Controller/StatesController.php   | 5 +++--
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/web/api/app/Controller/MonitorsController.php b/web/api/app/Controller/MonitorsController.php
index 5ce4bb476..185a06c84 100644
--- a/web/api/app/Controller/MonitorsController.php
+++ b/web/api/app/Controller/MonitorsController.php
@@ -207,8 +207,10 @@ class MonitorsController extends AppController {
     if ( !$this->Monitor->exists() ) {
       throw new NotFoundException(__('Invalid monitor'));
     }
-    if ( $this->Session->Read('systemPermission') != 'Edit' ) {
-       throw new UnauthorizedException(__('Insufficient privileges'));
+    global $user;
+    $canEdit = (!$user) || ($user['System'] == 'Edit');
+    if ( !$canEdit ) {
+      throw new UnauthorizedException(__('Insufficient privileges'));
       return;
     }
     $this->request->allowMethod('post', 'delete');
diff --git a/web/api/app/Controller/StatesController.php b/web/api/app/Controller/StatesController.php
index 29201d2c1..b96efe0aa 100644
--- a/web/api/app/Controller/StatesController.php
+++ b/web/api/app/Controller/StatesController.php
@@ -59,8 +59,9 @@ public function add() {
 
   if ($this->request->is('post')) {
 
-    if ($this->Session->Read('systemPermission') != 'Edit')
-    {
+    global $user;
+    $canEdit = (!$user) || ($user['System'] == 'Edit');
+    if ( !$canEdit ) {
       throw new UnauthorizedException(__('Insufficient privileges'));
       return;
     }