Don't allow users to delete objects that weren't created using the API

refs #9082

diff --git a/lib/remote/createobjecthandler.cpp b/lib/remote/createobjecthandler.cpp
index 143d17139ffafe3bff66d4a2cce52fab3de36ec0..4569357814692d95ace1606e1d393c22d91994dd 100644 (file)
--- a/lib/remote/createobjecthandler.cpp
+++ b/lib/remote/createobjecthandler.cpp
@@ -61,6 +61,7 @@ bool CreateObjectHandler::HandleRequest(const ApiUser::Ptr& user, HttpRequest& r
        builder->SetType(type->GetName());
        builder->SetName(name);
        builder->SetScope(ScriptGlobal::GetGlobals());
+       builder->SetModule("_api");
 
        Array::Ptr templates = params->Get("templates");
 

diff --git a/lib/remote/deleteobjecthandler.cpp b/lib/remote/deleteobjecthandler.cpp
index fe532dfdfe841b7117802fba3ba0d9483450a1f9..92b6aa079381e65cd507c51cb00fc144951ad3c8 100644 (file)
--- a/lib/remote/deleteobjecthandler.cpp
+++ b/lib/remote/deleteobjecthandler.cpp
@@ -65,6 +65,13 @@ bool DeleteObjectHandler::HandleRequest(const ApiUser::Ptr& user, HttpRequest& r
                Dictionary::Ptr result1 = new Dictionary();
                result1->Set("type", type->GetName());
                result1->Set("name", obj->GetName());
+               results->Add(result1);
+
+               if (obj->GetModule() != "_api") {
+                       result1->Set("code", 500);
+                       result1->Set("status", "Object cannot be deleted because it was not created using the API.");
+                       continue;
+               }
 
                ConfigItem::Ptr item = ConfigItem::GetObject(type->GetName(), obj->GetName());
 
@@ -82,8 +89,6 @@ bool DeleteObjectHandler::HandleRequest(const ApiUser::Ptr& user, HttpRequest& r
                        result1->Set("code", 500);
                        result1->Set("status", "Object could not be deleted: " + DiagnosticInformation(ex));
                }
-
-               results->Add(result1);
        }
 
        Dictionary::Ptr result = new Dictionary();