IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

Raise an error if a api_username is supplied and does not match the key

Browse Source
This commit is contained in:
Robin Ward 2013-10-23 11:05:49 -04:00
parent a98d4d9b35
commit f73a64982a
2 changed files with 11 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lib/auth/default_current_user_provider.rb
View File

@ -42,10 +42,12 @@ class Auth::DefaultCurrentUserProvider
api_key = ApiKey.where(key: api_key_value).includes(:user).first api_key = ApiKey.where(key: api_key_value).includes(:user).first
if api_key.present? if api_key.present?
@env[API_KEY] = true @env[API_KEY] = true
api_username = request["api_username"]
if api_key.user.present? if api_key.user.present?
raise Discourse::InvalidAccess.new if api_username && (api_key.user.username_lower != api_username.downcase)
current_user = api_key.user current_user = api_key.user
elsif api_username = request["api_username"] elsif api_username
current_user = User.where(username_lower: api_username.downcase).first current_user = User.where(username_lower: api_username.downcase).first
end end

14
spec/controllers/application_controller_spec.rb
View File

@ -1,11 +1,6 @@
require 'spec_helper' require 'spec_helper'
describe 'api' do describe 'api' do
before do
fake_key = SecureRandom.hex(32)
SiteSetting.stubs(:api_key).returns(fake_key)
end
describe PostsController do describe PostsController do
let(:user) do let(:user) do
Fabricate(:user) Fabricate(:user)
@ -22,11 +17,19 @@ describe 'api' do
it 'allows users with api key to bookmark posts' do it 'allows users with api key to bookmark posts' do
PostAction.expects(:act).with(user, post, PostActionType.types[:bookmark]).once PostAction.expects(:act).with(user, post, PostActionType.types[:bookmark]).once
put :bookmark, bookmarked: "true", post_id: post.id, api_key: api_key.key, format: :json put :bookmark, bookmarked: "true", post_id: post.id, api_key: api_key.key, format: :json
response.should be_success
end
it 'raises an error with a user key that does not match an optionally specified username' do
PostAction.expects(:act).with(user, post, PostActionType.types[:bookmark]).never
put :bookmark, bookmarked: "true", post_id: post.id, api_key: api_key.key, api_username: 'made_up', format: :json
response.should_not be_success
end end
it 'allows users with a master api key to bookmark posts' do it 'allows users with a master api key to bookmark posts' do
PostAction.expects(:act).with(user, post, PostActionType.types[:bookmark]).once PostAction.expects(:act).with(user, post, PostActionType.types[:bookmark]).once
put :bookmark, bookmarked: "true", post_id: post.id, api_key: master_key.key, api_username: user.username, format: :json put :bookmark, bookmarked: "true", post_id: post.id, api_key: master_key.key, api_username: user.username, format: :json
response.should be_success
end end
it 'disallows phonies to bookmark posts' do it 'disallows phonies to bookmark posts' do
@ -37,7 +40,6 @@ describe 'api' do
end end
it 'disallows blank api' do it 'disallows blank api' do
SiteSetting.stubs(:api_key).returns("")
PostAction.expects(:act).with(user, post, PostActionType.types[:bookmark]).never PostAction.expects(:act).with(user, post, PostActionType.types[:bookmark]).never
lambda do lambda do
put :bookmark, bookmarked: "true", post_id: post.id, api_key: "", api_username: user.username, format: :json put :bookmark, bookmarked: "true", post_id: post.id, api_key: "", api_username: user.username, format: :json