From e6a2655d312aa122eafea9b1d503a1ecda077d23 Mon Sep 17 00:00:00 2001
From: Terrtia <or1994@hotmail.fr>
Date: Tue, 23 Feb 2021 15:28:15 +0100
Subject: [PATCH] fix: [API ACL] avoid user_no_api users to access the API

---
 var/www/modules/restApi/Flask_restApi.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/var/www/modules/restApi/Flask_restApi.py b/var/www/modules/restApi/Flask_restApi.py
index 8e1db66a..8e96bf67 100644
--- a/var/www/modules/restApi/Flask_restApi.py
+++ b/var/www/modules/restApi/Flask_restApi.py
@@ -68,6 +68,10 @@ def get_user_from_token(token):
     return r_serv_db.hget('user:tokens', token)
 
 def verify_user_role(role, token):
+    # User without API
+    if role == 'user_no_api':
+        return False
+        
     user_id = get_user_from_token(token)
     if user_id:
         if is_in_role(user_id, role):