# HG changeset patch
# User Matt Johnston <matt@ucc.asn.au>
# Date 1447770249 -28800
# Node ID a3e9c97c448bdeba906e234083f246aebbab489e
# Parent  55cae4f27e75407687bc1d7e9ceec066a9bcb5f9
Oops, we didn't authenticate the parameter update

diff -r 55cae4f27e75 -r a3e9c97c448b web/templog.py
--- a/web/templog.py	Wed Jun 10 00:13:26 2015 +0800
+++ b/web/templog.py	Tue Nov 17 22:24:09 2015 +0800
@@ -69,6 +69,12 @@
 
 @route('/set/update', method='post')
 def set_update():
+    if not secure.check_user_hash(config.ALLOWED_USERS):
+        # the "Save" button should be disabled if the cert wasn't
+        # good
+        response.status = 403
+        return "No cert, dodginess"
+
     post_json = json.loads(request.forms.data)
 
     csrf_blob = post_json['csrf_blob']
@@ -79,7 +85,7 @@
 
     ret = log.update_params(post_json['params'])
     if not ret is True:
-        response.status = 403
+        response.status = 409 # Conflict
         return ret
         
     return "Good"
@@ -157,6 +163,11 @@
     #var_lookup = environ['mod_ssl.var_lookup']
     #return var_lookup("SSL_SERVER_I_DN_O")
 
+@route('/h')
+def headers():
+    response.set_header('Content-Type', 'text/plain')
+    return '\n'.join("%s: %s" % x for x in request.headers.items())
+
 @route('/get_settings')
 def get_settings():
     response.set_header('Cache-Control', 'no-cache')