harden connect method

2024-04-18 21:37:43 +00:00 · 2024-04-18 21:37:43 +00:00 · 531aac6923
parent 59b4604c77
commit 531aac6923
1 changed files with 13 additions and 7 deletions
--- a/api/tacticalrmm/core/consumers.py
+++ b/api/tacticalrmm/core/consumers.py
@ -148,20 +148,26 @@ class TerminalConsumer(JsonWebsocketConsumer):

        self.user = self.scope["user"]

+        if isinstance(self.user, AnonymousUser):
+            self.close()
+            return
+
        if not self.user.is_authenticated:
            self.close(4401)
            return

+        if self.user.block_dashboard_login or not _has_perm(
+            self.user, "can_run_servercli"
+        ):
+            self.close(4401)
+            return
+
        if self.child_pid is not None:
            return

-        if self.user.is_authenticated:
-            if not _has_perm(self.user, "can_run_servercli"):
-                self.close(4401)
-
-            self.connected = True
-            self.authorized = True
-            self.accept()
+        self.connected = True
+        self.authorized = True
+        self.accept()

        # Daemonize the thread so it automatically dies when the main thread exits
        thread = threading.Thread(target=self.run_command, daemon=True)