mirror of
https://github.com/codeninjasllc/discourse.git
synced 2024-11-23 15:48:43 -05:00
id is optional if already specified in header
This commit is contained in:
parent
be0fd5b4cc
commit
1d281e02c7
2 changed files with 16 additions and 1 deletions
|
@ -90,14 +90,18 @@ class UserApiKeysController < ApplicationController
|
|||
end
|
||||
|
||||
def revoke
|
||||
revoke_key = find_key
|
||||
revoke_key = find_key if params[:id]
|
||||
|
||||
if current_key = request.env['HTTP_USER_API_KEY']
|
||||
request_key = UserApiKey.find_by(key: current_key)
|
||||
revoke_key ||= request_key
|
||||
if request_key && request_key.id != revoke_key.id && !request_key.write
|
||||
raise Discourse::InvalidAccess
|
||||
end
|
||||
end
|
||||
|
||||
raise Discourse::NotFound unless revoke_key
|
||||
|
||||
revoke_key.update_columns(revoked_at: Time.zone.now)
|
||||
|
||||
render json: success_json
|
||||
|
|
|
@ -94,6 +94,17 @@ TXT
|
|||
|
||||
end
|
||||
|
||||
it "allows for a revoke with no id" do
|
||||
key = Fabricate(:readonly_user_api_key)
|
||||
request.env['HTTP_USER_API_KEY'] = key.key
|
||||
post :revoke
|
||||
|
||||
expect(response.status).to eq(200)
|
||||
|
||||
key.reload
|
||||
expect(key.revoked_at).not_to eq(nil)
|
||||
end
|
||||
|
||||
it "will not allow readonly api keys to revoke others" do
|
||||
key1 = Fabricate(:readonly_user_api_key)
|
||||
key2 = Fabricate(:readonly_user_api_key)
|
||||
|
|
Loading…
Reference in a new issue