From 7ca5ab3da36e9c991e8533a7e869d3016651c647 Mon Sep 17 00:00:00 2001
From: Sam <sam.saffron@gmail.com>
Date: Mon, 17 Jun 2013 16:09:59 +1000
Subject: [PATCH] allow api for restricted by global password sites

---
 app/controllers/application_controller.rb | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 3ca7dd5d0f6..cdcdfc5edaa 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -242,8 +242,10 @@ class ApplicationController < ActionController::Base
     def check_restricted_access
       # note current_user is defined in the CurrentUser mixin
       if SiteSetting.access_password.present? && cookies[:_access] != SiteSetting.access_password
-        redirect_to request_access_path(return_path: request.fullpath)
-        return false
+        unless api_key_valid?
+          redirect_to request_access_path(return_path: request.fullpath)
+          return false
+        end
       end
     end
 
@@ -263,7 +265,7 @@ class ApplicationController < ActionController::Base
     def check_xhr
       unless (controller_name == 'forums' || controller_name == 'user_open_ids')
         # bypass xhr check on PUT / POST / DELETE provided api key is there, otherwise calling api is annoying
-        return if !request.get? && request["api_key"] && SiteSetting.api_key_valid?(request["api_key"])
+        return if !request.get? && api_key_valid?
         raise RenderEmpty.new unless ((request.format && request.format.json?) || request.xhr?)
       end
     end
@@ -285,4 +287,10 @@ class ApplicationController < ActionController::Base
       render status: status, layout: 'no_js', formats: [:html], template: '/exceptions/not_found'
     end
 
+    protected
+
+    def api_key_valid?
+      request["api_key"] && SiteSetting.api_key_valid?(request["api_key"])
+    end
+
 end