IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

SECURITY: don't grant same privileges to user_api and api access

Browse Source 
User API is no longer gets bypasses that standard API gets.
Only bypasses are CSRF and XHR requirements.
This commit is contained in:
Sam
2016-12-16 12:05:20 +11:00
parent 197517d55e
commit 6ff309aa80
6 changed files with 24 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/posts_controller.rb
View File

@@ -467,7 +467,7 @@ class PostsController < ApplicationController
json_obj = json_obj[:post]
end
if !success && GlobalSetting.try(:verbose_api_logging) && is_api?
if !success && GlobalSetting.try(:verbose_api_logging) && (is_api? || is_user_api?)
Rails.logger.error "Error creating post via API:\n\n#{json_obj.inspect}"
end