From fa85e24e1e78747f3a94a12b94a6e93fedc8dd44 Mon Sep 17 00:00:00 2001
From: emli <esulaymanov@optimal-dynamics.com>
Date: Mon, 19 Mar 2018 09:44:53 +0600
Subject: [PATCH] #298

Allow only subutai user use update config rest
---
 template/template.go | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/template/template.go b/template/template.go
index dc96998..b30ff8d 100644
--- a/template/template.go
+++ b/template/template.go
@@ -316,6 +316,20 @@ func delTag(values map[string][]string) (int, error) {
 }
 
 func ModifyConfig(w http.ResponseWriter, r *http.Request) {
+	token := r.URL.Query().Get("token")
+	owner := strings.ToLower(db.CheckToken(token))
+	if len(token) == 0 || len(owner) == 0 {
+		w.WriteHeader(http.StatusUnauthorized)
+		w.Write([]byte("Not authorized"))
+		log.Warn(r.RemoteAddr + " - rejecting unauthorized owner request")
+		return
+	}
+	if owner != "subutai" {
+		w.WriteHeader(http.StatusBadRequest)
+		w.Write([]byte("Only allowed users can update template config"))
+		log.Warn(r.RemoteAddr + " - rejecting update request")
+		return
+	}
 	list := db.Search("")
 	for _, k := range list {
 		if db.CheckRepo("", "template", k) == 0 {