From 9dec97c3c83928d231ea10f4160523a13803e594 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Mon, 12 Oct 2015 18:53:52 +0200
Subject: [PATCH] Add check for permissions on deleting a SAML2 Service
 Provider

Fixes: #194
Fixes: CVE-2015-5301

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
---
 ipsilon/providers/saml2/admin.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ipsilon/providers/saml2/admin.py b/ipsilon/providers/saml2/admin.py
index 9d06be1..c7a0289 100644
--- a/ipsilon/providers/saml2/admin.py
+++ b/ipsilon/providers/saml2/admin.py
@@ -307,6 +307,9 @@ class SPAdminPage(AdminPage):
                                   message_type=message_type)
 
     def delete(self):
+        if (not self.user.is_admin and
+                self.user.name != self.sp.owner):
+            raise cherrypy.HTTPError(403)
         self.parent.del_sp(self.sp.name)
         self.sp.permanently_delete()
         return self.parent.root()
-- 
2.20.1