From c83c7720b3f36f76ff3e1298a8296a82c3896e19 Mon Sep 17 00:00:00 2001
From: PCoder <purple.coder@yahoo.co.uk>
Date: Sat, 14 Sep 2019 13:19:22 +0530
Subject: [PATCH] Forbid unwanted realms from add products

---
 ucloud-pay.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/ucloud-pay.py b/ucloud-pay.py
index d9e6c72..bb2a617 100644
--- a/ucloud-pay.py
+++ b/ucloud-pay.py
@@ -2,7 +2,7 @@ import binascii
 import json
 
 import requests
-from decouple import config
+from decouple import config, Csv
 from flask import Flask, request
 from flask_restful import Resource, Api
 from pyotp import TOTP
@@ -54,6 +54,13 @@ class AddProduct(Resource):
     def post():
         data = request.json
         logging.debug("Got data: {}".format(str(data)))
+        REALM_ALLOWED = config("REALM_ALLOWED", cast=Csv(str))
+        logging.debug("REALM_ALLOWED = {}".format(REALM_ALLOWED))
+        if data["realm"] not in REALM_ALLOWED:
+            logging.error(
+                "The given realm {} is not "
+                "allowed to do add product".format(data["realm"]))
+            return {"message": "Forbidden"}, 403
         otp_response = check_otp(data["name"], data["realm"],
                                  data["token"])
         if otp_response != 200: