1 files changed, 34 insertions, 8 deletions

diff --git a/web/server/web_client.c b/web/server/web_client.c
index 282cfcd1a..4e34ae3a3 100644
--- a/web/server/web_client.c
+++ b/web/server/web_client.c
@@ -157,6 +157,10 @@ void web_client_request_done(struct web_client *w) {
     w->origin[1] = '\0';
 
     freez(w->user_agent); w->user_agent = NULL;
+    if (w->auth_bearer_token) {
+        freez(w->auth_bearer_token);
+        w->auth_bearer_token = NULL;
+    }
 
     w->mode = WEB_CLIENT_MODE_NORMAL;
 
@@ -577,10 +581,17 @@ static inline int check_host_and_dashboard_acl_and_call(RRDHOST *host, struct we
     return check_host_and_call(host, w, url, func);
 }
 
+static inline int check_host_and_mgmt_acl_and_call(RRDHOST *host, struct web_client *w, char *url, int (*func)(RRDHOST *, struct web_client *, char *)) {
+    if(!web_client_can_access_mgmt(w))
+        return web_client_permission_denied(w);
+
+    return check_host_and_call(host, w, url, func);
+}
+
 int web_client_api_request(RRDHOST *host, struct web_client *w, char *url)
 {
     // get the api version
-    char *tok = mystrsep(&url, "/?&");
+    char *tok = mystrsep(&url, "/");
     if(tok && *tok) {
         debug(D_WEB_CLIENT, "%llu: Searching for API version '%s'.", w->id, tok);
         if(strcmp(tok, "v1") == 0)
@@ -713,7 +724,7 @@ const char *web_response_code_to_string(int code) {
 }
 
 static inline char *http_header_parse(struct web_client *w, char *s, int parse_useragent) {
-    static uint32_t hash_origin = 0, hash_connection = 0, hash_accept_encoding = 0, hash_donottrack = 0, hash_useragent = 0;
+    static uint32_t hash_origin = 0, hash_connection = 0, hash_accept_encoding = 0, hash_donottrack = 0, hash_useragent = 0, hash_authorization = 0;
 
     if(unlikely(!hash_origin)) {
         hash_origin = simple_uhash("Origin");
@@ -721,6 +732,7 @@ static inline char *http_header_parse(struct web_client *w, char *s, int parse_u
         hash_accept_encoding = simple_uhash("Accept-Encoding");
         hash_donottrack = simple_uhash("DNT");
         hash_useragent = simple_uhash("User-Agent");
+        hash_authorization = simple_uhash("X-Auth-Token");
     }
 
     char *e = s;
@@ -765,6 +777,8 @@ static inline char *http_header_parse(struct web_client *w, char *s, int parse_u
     }
     else if(parse_useragent && hash == hash_useragent && !strcasecmp(s, "User-Agent")) {
         w->user_agent = strdupz(v);
+    } else if(hash == hash_authorization&& !strcasecmp(s, "X-Auth-Token")) {
+        w->auth_bearer_token = strdupz(v);
     }
 #ifdef NETDATA_WITH_ZLIB
     else if(hash == hash_accept_encoding && !strcasecmp(s, "Accept-Encoding")) {
@@ -1071,7 +1085,7 @@ static inline int web_client_switch_host(RRDHOST *host, struct web_client *w, ch
         return 400;
     }
 
-    char *tok = mystrsep(&url, "/?&");
+    char *tok = mystrsep(&url, "/");
     if(tok && *tok) {
         debug(D_WEB_CLIENT, "%llu: Searching for host with name '%s'.", w->id, tok);
 
@@ -1163,7 +1177,7 @@ static inline int web_client_process_url(RRDHOST *host, struct web_client *w, ch
             buffer_flush(w->response.data);
 
             // get the name of the data to show
-            tok = mystrsep(&url, "/?&");
+            tok = mystrsep(&url, "&");
             if(tok && *tok) {
                 debug(D_WEB_CLIENT, "%llu: Searching for RRD data with name '%s'.", w->id, tok);
 
@@ -1239,9 +1253,15 @@ void web_client_process_request(struct web_client *w) {
                     return;
 
                 case WEB_CLIENT_MODE_OPTIONS:
-                    if(unlikely(!web_client_can_access_dashboard(w) && !web_client_can_access_registry(w) && !web_client_can_access_badges(w))) {
+                    if(unlikely(
+                            !web_client_can_access_dashboard(w) &&
+                            !web_client_can_access_registry(w) &&
+                            !web_client_can_access_badges(w) &&
+                            !web_client_can_access_mgmt(w) &&
+                            !web_client_can_access_netdataconf(w)
+                    )) {
                         web_client_permission_denied(w);
-                        return;
+                        break;
                     }
 
                     w->response.data->contenttype = CT_TEXT_PLAIN;
@@ -1252,9 +1272,15 @@ void web_client_process_request(struct web_client *w) {
 
                 case WEB_CLIENT_MODE_FILECOPY:
                 case WEB_CLIENT_MODE_NORMAL:
-                    if(unlikely(!web_client_can_access_dashboard(w) && !web_client_can_access_registry(w) && !web_client_can_access_badges(w))) {
+                    if(unlikely(
+                            !web_client_can_access_dashboard(w) &&
+                            !web_client_can_access_registry(w) &&
+                            !web_client_can_access_badges(w) &&
+                            !web_client_can_access_mgmt(w) &&
+                            !web_client_can_access_netdataconf(w)
+                    )) {
                         web_client_permission_denied(w);
-                        return;
+                        break;
                     }
 
                     w->response.code = web_client_process_url(localhost, w, w->decoded_url);