IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

SECURITY: don't grant same privileges to user_api and api access

Browse Source 
User API is no longer gets bypasses that standard API gets.
Only bypasses are CSRF and XHR requirements.
This commit is contained in:
Sam
2016-12-16 12:05:20 +11:00
parent 197517d55e
commit 6ff309aa80
6 changed files with 24 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
lib/current_user.rb
View File

@@ -26,6 +26,10 @@ module CurrentUser
current_user_provider.is_api?
end
def is_user_api?
current_user_provider.is_user_api?
end
def current_user
current_user_provider.current_user
end