mirror of
https://github.com/codeninjasllc/discourse.git
synced 2024-11-27 09:36:19 -05:00
id is optional if already specified in header
This commit is contained in:
parent
be0fd5b4cc
commit
1d281e02c7
2 changed files with 16 additions and 1 deletions
|
@ -90,14 +90,18 @@ class UserApiKeysController < ApplicationController
|
||||||
end
|
end
|
||||||
|
|
||||||
def revoke
|
def revoke
|
||||||
revoke_key = find_key
|
revoke_key = find_key if params[:id]
|
||||||
|
|
||||||
if current_key = request.env['HTTP_USER_API_KEY']
|
if current_key = request.env['HTTP_USER_API_KEY']
|
||||||
request_key = UserApiKey.find_by(key: current_key)
|
request_key = UserApiKey.find_by(key: current_key)
|
||||||
|
revoke_key ||= request_key
|
||||||
if request_key && request_key.id != revoke_key.id && !request_key.write
|
if request_key && request_key.id != revoke_key.id && !request_key.write
|
||||||
raise Discourse::InvalidAccess
|
raise Discourse::InvalidAccess
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
raise Discourse::NotFound unless revoke_key
|
||||||
|
|
||||||
revoke_key.update_columns(revoked_at: Time.zone.now)
|
revoke_key.update_columns(revoked_at: Time.zone.now)
|
||||||
|
|
||||||
render json: success_json
|
render json: success_json
|
||||||
|
|
|
@ -94,6 +94,17 @@ TXT
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it "allows for a revoke with no id" do
|
||||||
|
key = Fabricate(:readonly_user_api_key)
|
||||||
|
request.env['HTTP_USER_API_KEY'] = key.key
|
||||||
|
post :revoke
|
||||||
|
|
||||||
|
expect(response.status).to eq(200)
|
||||||
|
|
||||||
|
key.reload
|
||||||
|
expect(key.revoked_at).not_to eq(nil)
|
||||||
|
end
|
||||||
|
|
||||||
it "will not allow readonly api keys to revoke others" do
|
it "will not allow readonly api keys to revoke others" do
|
||||||
key1 = Fabricate(:readonly_user_api_key)
|
key1 = Fabricate(:readonly_user_api_key)
|
||||||
key2 = Fabricate(:readonly_user_api_key)
|
key2 = Fabricate(:readonly_user_api_key)
|
||||||
|
|
Loading…
Reference in a new issue