FIX: user api should always be available to staff

This commit is contained in:
Sam 2016-09-12 15:42:06 +10:00
parent b381d84dd9
commit 2d859ba0ed
2 changed files with 19 additions and 2 deletions

View file

@ -24,7 +24,7 @@ class UserApiKeysController < ApplicationController
return return
end end
if current_user.trust_level < SiteSetting.min_trust_level_for_user_api_key unless meets_tl?
@no_trust_level = true @no_trust_level = true
return return
end end
@ -53,7 +53,7 @@ class UserApiKeysController < ApplicationController
raise Discourse::InvalidAccess raise Discourse::InvalidAccess
end end
raise Discourse::InvalidAccess if current_user.trust_level < SiteSetting.min_trust_level_for_user_api_key raise Discourse::InvalidAccess unless meets_tl?
request_read = params[:access].include? 'r' request_read = params[:access].include? 'r'
request_read ||= params[:access].include? 'p' request_read ||= params[:access].include? 'p'
@ -142,4 +142,8 @@ class UserApiKeysController < ApplicationController
OpenSSL::PKey::RSA.new(params[:public_key]) OpenSSL::PKey::RSA.new(params[:public_key])
end end
def meets_tl?
current_user.staff? || current_user.trust_level >= SiteSetting.min_trust_level_for_user_api_key
end
end end

View file

@ -66,6 +66,19 @@ TXT
expect(response.code).to eq("403") expect(response.code).to eq("403")
end end
it "will allow tokens for staff without TL" do
SiteSetting.min_trust_level_for_user_api_key = 2
SiteSetting.allowed_user_api_auth_redirects = args[:auth_redirect]
user = Fabricate(:user, trust_level: 1, moderator: true)
log_in_user(user)
post :create, args
expect(response.code).to eq("302")
end
it "will not create token unless TL is met" do it "will not create token unless TL is met" do
SiteSetting.min_trust_level_for_user_api_key = 2 SiteSetting.min_trust_level_for_user_api_key = 2
SiteSetting.allowed_user_api_auth_redirects = args[:auth_redirect] SiteSetting.allowed_user_api_auth_redirects = args[:auth_redirect]