diff --git a/app/controllers/user_api_keys_controller.rb b/app/controllers/user_api_keys_controller.rb index d4f8dfb6e..8b532a100 100644 --- a/app/controllers/user_api_keys_controller.rb +++ b/app/controllers/user_api_keys_controller.rb @@ -24,7 +24,7 @@ class UserApiKeysController < ApplicationController return end - if current_user.trust_level < SiteSetting.min_trust_level_for_user_api_key + unless meets_tl? @no_trust_level = true return end @@ -53,7 +53,7 @@ class UserApiKeysController < ApplicationController raise Discourse::InvalidAccess end - raise Discourse::InvalidAccess if current_user.trust_level < SiteSetting.min_trust_level_for_user_api_key + raise Discourse::InvalidAccess unless meets_tl? request_read = params[:access].include? 'r' request_read ||= params[:access].include? 'p' @@ -142,4 +142,8 @@ class UserApiKeysController < ApplicationController OpenSSL::PKey::RSA.new(params[:public_key]) end + def meets_tl? + current_user.staff? || current_user.trust_level >= SiteSetting.min_trust_level_for_user_api_key + end + end diff --git a/spec/controllers/user_api_keys_controller_spec.rb b/spec/controllers/user_api_keys_controller_spec.rb index 92bc23404..7ad898b1e 100644 --- a/spec/controllers/user_api_keys_controller_spec.rb +++ b/spec/controllers/user_api_keys_controller_spec.rb @@ -66,6 +66,19 @@ TXT expect(response.code).to eq("403") end + it "will allow tokens for staff without TL" do + + SiteSetting.min_trust_level_for_user_api_key = 2 + SiteSetting.allowed_user_api_auth_redirects = args[:auth_redirect] + + user = Fabricate(:user, trust_level: 1, moderator: true) + + log_in_user(user) + + post :create, args + expect(response.code).to eq("302") + end + it "will not create token unless TL is met" do SiteSetting.min_trust_level_for_user_api_key = 2 SiteSetting.allowed_user_api_auth_redirects = args[:auth_redirect]