SECURITY: don't grant same privileges to user_api and api access

User API is no longer gets bypasses that standard API gets.
Only bypasses are CSRF and XHR requirements.

app/controllers/application_controller.rb

@@ -25,7 +25,7 @@ class ApplicationController < ActionController::Base
   #  and then raising a CSRF exception
   def handle_unverified_request
     # NOTE: API key is secret, having it invalidates the need for a CSRF token
-    unless is_api?
+    unless is_api? || is_user_api?
       super
       clear_current_user
       render text: "['BAD CSRF']", status: 403
@@ -501,7 +501,7 @@ class ApplicationController < ActionController::Base
 
     def check_xhr
       # bypass xhr check on PUT / POST / DELETE provided api key is there, otherwise calling api is annoying
-      return if !request.get? && is_api?
+      return if !request.get? && (is_api? || is_user_api?)
       raise RenderEmpty.new unless ((request.format && request.format.json?) || request.xhr?)
     end
 

app/controllers/posts_controller.rb

@@ -467,7 +467,7 @@ class PostsController < ApplicationController
       json_obj = json_obj[:post]
     end
 
-    if !success && GlobalSetting.try(:verbose_api_logging) && is_api?
+    if !success && GlobalSetting.try(:verbose_api_logging) && (is_api? || is_user_api?)
       Rails.logger.error "Error creating post via API:\n\n#{json_obj.inspect}"
     end