return "403 Forbidden" if authentication token was given, however is invalid

Contributed by T-Labs, Deutsche Telekom Innovation Laboratories Signed-off-by: Mirko Vogt <mirko@openwrt.org>
author: Jo-Philipp Wich <jow@openwrt.org> 2012-08-07 19:11:52 +0000
committer: Jo-Philipp Wich <jow@openwrt.org> 2012-08-07 19:11:52 +0000
commit: 69aa218335330e1e8c623fdc2e5e336b2b78056f (patch)
tree: d7e1d822bd78249a46a64feff96bdf8712cf247d /modules
parent: 0c4edd49b982007fff60f64a86d73aabf7f68784 (diff)
1 files changed, 6 insertions, 4 deletions
diff --git a/modules/rpc/luasrc/controller/rpc.lua b/modules/rpc/luasrc/controller/rpc.lua
index 7255c1780..6b091163f 100644
--- a/modules/rpc/luasrc/controller/rpc.lua
+++ b/modules/rpc/luasrc/controller/rpc.lua
@@ -24,11 +24,13 @@ module "luci.controller.rpc"
 function index()
 	local function authenticator(validator, accs)
 		local auth = luci.http.formvalue("auth", true)
-		if auth then
+		if auth then -- if authentication token was given
 			local sdat = luci.sauth.read(auth)
-			user = loadstring(sdat)().user
-			if user and luci.util.contains(accs, user) then
-				return user, auth
+			if sdat then -- if given token is valid
+				user = loadstring(sdat)().user
+				if user and luci.util.contains(accs, user) then
+					return user, auth
+				end
 			end
 		end
 		luci.http.status(403, "Forbidden")
author	Jo-Philipp Wich <jow@openwrt.org>	2012-08-07 19:11:52 +0000
committer	Jo-Philipp Wich <jow@openwrt.org>	2012-08-07 19:11:52 +0000
commit	69aa218335330e1e8c623fdc2e5e336b2b78056f (patch)
tree	d7e1d822bd78249a46a64feff96bdf8712cf247d /modules
parent	0c4edd49b982007fff60f64a86d73aabf7f68784 (diff)