codeninjasllc/discourse
1
0
Fork 0
mirror of https://github.com/codeninjasllc/discourse.git synced 2024-11-23 15:48:43 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

id is optional if already specified in header

Browse source
This commit is contained in:
Sam 2016-09-02 17:08:46 +10:00
parent be0fd5b4cc
commit 1d281e02c7
2 changed files with 16 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
app/controllers/user_api_keys_controller.rb
View file

@ -90,14 +90,18 @@ class UserApiKeysController < ApplicationController
end end
def revoke def revoke
revoke_key = find_key revoke_key = find_key if params[:id]
if current_key = request.env['HTTP_USER_API_KEY'] if current_key = request.env['HTTP_USER_API_KEY']
request_key = UserApiKey.find_by(key: current_key) request_key = UserApiKey.find_by(key: current_key)
revoke_key ||= request_key
if request_key && request_key.id != revoke_key.id && !request_key.write if request_key && request_key.id != revoke_key.id && !request_key.write
raise Discourse::InvalidAccess raise Discourse::InvalidAccess
end end
end end
raise Discourse::NotFound unless revoke_key
revoke_key.update_columns(revoked_at: Time.zone.now) revoke_key.update_columns(revoked_at: Time.zone.now)
render json: success_json render json: success_json

11
spec/controllers/user_api_keys_controller_spec.rb
View file

@ -94,6 +94,17 @@ TXT
end end
it "allows for a revoke with no id" do
key = Fabricate(:readonly_user_api_key)
request.env['HTTP_USER_API_KEY'] = key.key
post :revoke
expect(response.status).to eq(200)
key.reload
expect(key.revoked_at).not_to eq(nil)
end
it "will not allow readonly api keys to revoke others" do it "will not allow readonly api keys to revoke others" do
key1 = Fabricate(:readonly_user_api_key) key1 = Fabricate(:readonly_user_api_key)
key2 = Fabricate(:readonly_user_api_key) key2 = Fabricate(:readonly_user_api_key)