From 1d281e02c7dbc7084e63ec4db9e444142a6ae1f2 Mon Sep 17 00:00:00 2001 From: Sam Date: Fri, 2 Sep 2016 17:08:46 +1000 Subject: [PATCH] id is optional if already specified in header --- app/controllers/user_api_keys_controller.rb | 6 +++++- spec/controllers/user_api_keys_controller_spec.rb | 11 +++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/app/controllers/user_api_keys_controller.rb b/app/controllers/user_api_keys_controller.rb index 3875e982b..d4f8dfb6e 100644 --- a/app/controllers/user_api_keys_controller.rb +++ b/app/controllers/user_api_keys_controller.rb @@ -90,14 +90,18 @@ class UserApiKeysController < ApplicationController end def revoke - revoke_key = find_key + revoke_key = find_key if params[:id] + if current_key = request.env['HTTP_USER_API_KEY'] request_key = UserApiKey.find_by(key: current_key) + revoke_key ||= request_key if request_key && request_key.id != revoke_key.id && !request_key.write raise Discourse::InvalidAccess end end + raise Discourse::NotFound unless revoke_key + revoke_key.update_columns(revoked_at: Time.zone.now) render json: success_json diff --git a/spec/controllers/user_api_keys_controller_spec.rb b/spec/controllers/user_api_keys_controller_spec.rb index 9d0324c9a..92bc23404 100644 --- a/spec/controllers/user_api_keys_controller_spec.rb +++ b/spec/controllers/user_api_keys_controller_spec.rb @@ -94,6 +94,17 @@ TXT end + it "allows for a revoke with no id" do + key = Fabricate(:readonly_user_api_key) + request.env['HTTP_USER_API_KEY'] = key.key + post :revoke + + expect(response.status).to eq(200) + + key.reload + expect(key.revoked_at).not_to eq(nil) + end + it "will not allow readonly api keys to revoke others" do key1 = Fabricate(:readonly_user_api_key) key2 = Fabricate(:readonly_user_api_key)