From 8870e95c16e49a49db43d0f785c9d23ade99ca4a Mon Sep 17 00:00:00 2001 From: Ronni Skansing Date: Thu, 14 May 2026 11:46:41 +0200 Subject: [PATCH] fix perms Signed-off-by: Ronni Skansing --- backend/controller/remoteBrowser.go | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/backend/controller/remoteBrowser.go b/backend/controller/remoteBrowser.go index e8a7f8f..63d2dc0 100644 --- a/backend/controller/remoteBrowser.go +++ b/backend/controller/remoteBrowser.go @@ -688,10 +688,14 @@ func (m *RemoteBrowserController) sessionToInfo(sess *activeSession) liveSession // ListLiveSessions returns all active victim sessions for the campaign, optionally // filtered by campaignID query param. func (m *RemoteBrowserController) ListLiveSessions(g *gin.Context) { - _, _, ok := m.handleSession(g) + session, _, ok := m.handleSession(g) if !ok { return } + if authorized, err := service.IsAuthorized(session, data.PERMISSION_ALLOW_GLOBAL); err != nil || !authorized { + m.Response.Forbidden(g) + return + } campaignFilter := g.Query("campaignID") var sessions []liveSessionInfo m.RemoteBrowserService.RangeSessions(func(_ string, val service.LiveSession) bool { @@ -709,10 +713,14 @@ func (m *RemoteBrowserController) ListLiveSessions(g *gin.Context) { // CloseLiveSession terminates an active victim session by cancelling its context. func (m *RemoteBrowserController) CloseLiveSession(g *gin.Context) { - _, _, ok := m.handleSession(g) + session, _, ok := m.handleSession(g) if !ok { return } + if authorized, err := service.IsAuthorized(session, data.PERMISSION_ALLOW_GLOBAL); err != nil || !authorized { + m.Response.Forbidden(g) + return + } crID := g.Param("crID") val, loaded := m.RemoteBrowserService.LoadAndDeleteSession(crID) if !loaded { @@ -727,10 +735,14 @@ func (m *RemoteBrowserController) CloseLiveSession(g *gin.Context) { // the admin. When mode=control (query param) it also forwards mouse/keyboard // input from the admin back into the browser. func (m *RemoteBrowserController) StreamLiveSession(g *gin.Context) { - _, _, ok := m.handleSession(g) + session, _, ok := m.handleSession(g) if !ok { return } + if authorized, err := service.IsAuthorized(session, data.PERMISSION_ALLOW_GLOBAL); err != nil || !authorized { + m.Response.Forbidden(g) + return + } crIDStr := g.Param("crID") val, exists := m.RemoteBrowserService.LoadSession(crIDStr) if !exists {