mirror of
https://github.com/codeninjasllc/discourse.git
synced 2024-11-27 09:36:19 -05:00
FIX: user api should always be available to staff
This commit is contained in:
parent
b381d84dd9
commit
2d859ba0ed
2 changed files with 19 additions and 2 deletions
|
@ -24,7 +24,7 @@ class UserApiKeysController < ApplicationController
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
if current_user.trust_level < SiteSetting.min_trust_level_for_user_api_key
|
unless meets_tl?
|
||||||
@no_trust_level = true
|
@no_trust_level = true
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
@ -53,7 +53,7 @@ class UserApiKeysController < ApplicationController
|
||||||
raise Discourse::InvalidAccess
|
raise Discourse::InvalidAccess
|
||||||
end
|
end
|
||||||
|
|
||||||
raise Discourse::InvalidAccess if current_user.trust_level < SiteSetting.min_trust_level_for_user_api_key
|
raise Discourse::InvalidAccess unless meets_tl?
|
||||||
|
|
||||||
request_read = params[:access].include? 'r'
|
request_read = params[:access].include? 'r'
|
||||||
request_read ||= params[:access].include? 'p'
|
request_read ||= params[:access].include? 'p'
|
||||||
|
@ -142,4 +142,8 @@ class UserApiKeysController < ApplicationController
|
||||||
OpenSSL::PKey::RSA.new(params[:public_key])
|
OpenSSL::PKey::RSA.new(params[:public_key])
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def meets_tl?
|
||||||
|
current_user.staff? || current_user.trust_level >= SiteSetting.min_trust_level_for_user_api_key
|
||||||
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -66,6 +66,19 @@ TXT
|
||||||
expect(response.code).to eq("403")
|
expect(response.code).to eq("403")
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it "will allow tokens for staff without TL" do
|
||||||
|
|
||||||
|
SiteSetting.min_trust_level_for_user_api_key = 2
|
||||||
|
SiteSetting.allowed_user_api_auth_redirects = args[:auth_redirect]
|
||||||
|
|
||||||
|
user = Fabricate(:user, trust_level: 1, moderator: true)
|
||||||
|
|
||||||
|
log_in_user(user)
|
||||||
|
|
||||||
|
post :create, args
|
||||||
|
expect(response.code).to eq("302")
|
||||||
|
end
|
||||||
|
|
||||||
it "will not create token unless TL is met" do
|
it "will not create token unless TL is met" do
|
||||||
SiteSetting.min_trust_level_for_user_api_key = 2
|
SiteSetting.min_trust_level_for_user_api_key = 2
|
||||||
SiteSetting.allowed_user_api_auth_redirects = args[:auth_redirect]
|
SiteSetting.allowed_user_api_auth_redirects = args[:auth_redirect]
|
||||||
|
|
Loading…
Reference in a new issue