From 531aac692347a5aa5f56f90c3a0fcea4add96ddc Mon Sep 17 00:00:00 2001
From: wh1te909 <7434746+wh1te909@users.noreply.github.com>
Date: Thu, 18 Apr 2024 21:37:43 +0000
Subject: [PATCH] harden connect method

---
 api/tacticalrmm/core/consumers.py | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/api/tacticalrmm/core/consumers.py b/api/tacticalrmm/core/consumers.py
index 72e09b36..01670145 100644
--- a/api/tacticalrmm/core/consumers.py
+++ b/api/tacticalrmm/core/consumers.py
@@ -148,20 +148,26 @@ class TerminalConsumer(JsonWebsocketConsumer):
 
         self.user = self.scope["user"]
 
+        if isinstance(self.user, AnonymousUser):
+            self.close()
+            return
+
         if not self.user.is_authenticated:
             self.close(4401)
             return
 
+        if self.user.block_dashboard_login or not _has_perm(
+            self.user, "can_run_servercli"
+        ):
+            self.close(4401)
+            return
+
         if self.child_pid is not None:
             return
 
-        if self.user.is_authenticated:
-            if not _has_perm(self.user, "can_run_servercli"):
-                self.close(4401)
-
-            self.connected = True
-            self.authorized = True
-            self.accept()
+        self.connected = True
+        self.authorized = True
+        self.accept()
 
         # Daemonize the thread so it automatically dies when the main thread exits
         thread = threading.Thread(target=self.run_command, daemon=True)