github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-30 15:28:37 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: don't grant same privileges to user_api and api access

Browse Source 
User API is no longer gets bypasses that standard API gets.
Only bypasses are CSRF and XHR requirements.
This commit is contained in:
Sam
2016-12-16 12:05:20 +11:00
parent 197517d55e
commit 6ff309aa80
6 changed files with 24 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
spec/components/auth/default_current_user_provider_spec.rb
View File

@ -175,7 +175,11 @@ describe Auth::DefaultCurrentUserProvider do
"HTTP_USER_API_KEY" => api_key.key,
}
expect(provider("/", params).current_user.id).to eq(user.id)
good_provider = provider("/", params)
expect(good_provider.current_user.id).to eq(user.id)
expect(good_provider.is_api?).to eq(false)
expect(good_provider.is_user_api?).to eq(true)
expect {
provider("/", params.merge({"REQUEST_METHOD" => "POST"})).current_user