From ed93977a0d476105bb74600af0ff4954aa248c28 Mon Sep 17 00:00:00 2001
From: Alexander Sulfrian <alexander.sulfrian@fu-berlin.de>
Date: Tue, 13 Oct 2015 16:30:19 +0200
Subject: DefaultACL: Deny remote access to expire_metadata_cache

---
 src/lib/Bcfg2/Server/Core.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/lib/Bcfg2/Server/Core.py b/src/lib/Bcfg2/Server/Core.py
index 3db97f770..9e98f8636 100644
--- a/src/lib/Bcfg2/Server/Core.py
+++ b/src/lib/Bcfg2/Server/Core.py
@@ -119,7 +119,8 @@ class DefaultACL(Plugin, ClientACLs):
     def check_acl_ip(self, address, rmi):
         return (("." not in rmi and
                  not rmi.endswith("_debug") and
-                 rmi != 'get_statistics') or
+                 rmi != 'get_statistics' and
+                 rmi != 'expire_metadata_cache') or
                 address[0] == "127.0.0.1")
 
 # in core we frequently want to catch all exceptions, regardless of
-- 
cgit v1.2.3-1-g7c22