github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 04:31:10 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FEATURE: allow user api key revocation for read only keys

Browse Source
This commit is contained in:
Sam
2016-09-02 16:57:41 +10:00
parent df8d24734a
commit be0fd5b4cc
4 changed files with 48 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
lib/auth/default_current_user_provider.rb
View File

@ -176,10 +176,16 @@ class Auth::DefaultCurrentUserProvider
protected
WHITELISTED_WRITE_PATHS ||= [/^\/message-bus\/.*\/poll/, /^\/user-api-key\/revoke$/]
def lookup_user_api_user(user_api_key)
if api_key = UserApiKey.where(key: user_api_key, revoked_at: nil).includes(:user).first
if !api_key.write && (@env["REQUEST_METHOD"] != "GET" && @env["PATH_INFO"] !~ /^\/message-bus\/.*\/poll/)
raise Discourse::InvalidAccess
unless api_key.write
if @env["REQUEST_METHOD"] != "GET"
path = @env["PATH_INFO"]
unless WHITELISTED_WRITE_PATHS.any?{|whitelisted| path =~ whitelisted}
raise Discourse::InvalidAccess
end
end
end
api_key.user