From 33a516b14b4b0706419479e388742b3ab5432c7f Mon Sep 17 00:00:00 2001
From: Jaroslav Kysela <perex@perex.cz>
Date: Fri, 12 Sep 2014 16:55:36 +0200
Subject: [PATCH] HTTP API: add missing access verification for all API calls

---
 src/api.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/api.c b/src/api.c
index 38295573..4eadf940 100644
--- a/src/api.c
+++ b/src/api.c
@@ -84,6 +84,9 @@ api_exec ( access_t *perm, const char *subsystem,
     return ENOSYS; // TODO: is this really the right error code?
   }
 
+  if (access_verify2(perm, ah->hook->ah_access))
+    return EPERM;
+
   /* Extract method */
   op = htsmsg_get_str(args, "method");
   if (!op)