From a5cbfd298ae61a4b70feed138060b190612ec7ad Mon Sep 17 00:00:00 2001
From: Andreas Granig <agranig@sipwise.com>
Date: Fri, 29 Nov 2013 13:39:03 +0100
Subject: [PATCH] MT#3927 Invalidate session in API for non-API user

---
 lib/NGCP/Panel/Controller/Root.pm | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lib/NGCP/Panel/Controller/Root.pm b/lib/NGCP/Panel/Controller/Root.pm
index 4e84e3e487..5e8d636fc5 100644
--- a/lib/NGCP/Panel/Controller/Root.pm
+++ b/lib/NGCP/Panel/Controller/Root.pm
@@ -26,6 +26,14 @@ sub auto :Private {
         $c->log->debug("*** Root::auto skip authn, grant access to " . $c->request->path);
         return 1;
     }
+
+    if($c->user_exists && $c->user->roles ne "api_admin" &&
+       0 == index $c->controller->catalyst_component_name, 'NGCP::Panel::Controller::API') {
+        
+        $c->log->debug("*** Root::auto invalidate authenticated non-api-admin user for api access");
+        $c->logout;
+    }
+
     unless($c->user_exists) {
         $c->log->debug("*** Root::auto user not authenticated");
         if (