Raise an error if a api_username is supplied and does not match the key

2025-06-01 09:08:10 +08:00 · 2013-10-23 11:05:49 -04:00
parent a98d4d9b35
commit f73a64982a
2 changed files with 11 additions and 7 deletions
--- a/lib/auth/default_current_user_provider.rb
+++ b/lib/auth/default_current_user_provider.rb
@ -42,10 +42,12 @@ class Auth::DefaultCurrentUserProvider
        api_key = ApiKey.where(key: api_key_value).includes(:user).first
        if api_key.present?
          @env[API_KEY] = true
+          api_username = request["api_username"]

          if api_key.user.present?
+            raise Discourse::InvalidAccess.new if api_username && (api_key.user.username_lower != api_username.downcase)
            current_user = api_key.user
-          elsif api_username = request["api_username"]
+          elsif api_username
            current_user = User.where(username_lower: api_username.downcase).first
          end