From eaf3ad30d1c20ea7a428d4df96e320fe1ebe1abb Mon Sep 17 00:00:00 2001
From: mokaddem <sami.mokaddem@circl.lu>
Date: Fri, 11 Oct 2019 08:57:55 +0200
Subject: [PATCH] chg: [auth] Check if can access the dashboard

---
 server.py            | 9 ++++++++-
 templates/login.html | 2 +-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/server.py b/server.py
index 8c4fb44..d62b8ec 100755
--- a/server.py
+++ b/server.py
@@ -109,6 +109,7 @@ class User(UserMixin):
         }
 
         misp_login_page = auth_host + "/users/login"
+        misp_user_me_page = auth_host + "/users/view/me.json"
         session = requests.Session()
         session.verify = auth_ssl_verify
 
@@ -132,7 +133,13 @@ class User(UserMixin):
         redirect_location = post_to_login_page.headers.get('Location', '')
         # Authentication is successful if MISP returns a redirect to '/users/routeafterlogin'.
         if '/users/routeafterlogin' in redirect_location:
-            return True
+            # Logged in, check if logged in user can access the dashboard
+            me_json = session.get(misp_user_me_page).json()
+            dashboard_access = me_json.get('UserSetting', {}).get('dashboard_access', False)
+            if dashboard_access is not False:
+                return dashboard_access is True or dashboard_access == 1
+            else:
+                return False
         return None
 
 
diff --git a/templates/login.html b/templates/login.html
index 93ab85b..4e128ec 100644
--- a/templates/login.html
+++ b/templates/login.html
@@ -36,7 +36,7 @@
         </div>
         {% if authError %}
             <div class="alert alert-danger">
-                Username and Password does not match when connecting to MISP
+                Username and Password does not match when connecting to MISP or incorrect MISP permission
             </div>
         {% endif %}