mirror of
https://github.com/codeninjasllc/discourse.git
synced 2024-11-23 15:48:43 -05:00
better error handling
push notifications imply read access, no need for a special permission
This commit is contained in:
parent
2c1249f381
commit
691f739f11
3 changed files with 24 additions and 13 deletions
|
@ -16,7 +16,7 @@ class UserApiKeysController < ApplicationController
|
||||||
end
|
end
|
||||||
|
|
||||||
require_params
|
require_params
|
||||||
validate_params(_skip_push=true)
|
validate_params
|
||||||
|
|
||||||
unless current_user
|
unless current_user
|
||||||
cookies[:destination_url] = request.fullpath
|
cookies[:destination_url] = request.fullpath
|
||||||
|
@ -24,6 +24,11 @@ class UserApiKeysController < ApplicationController
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
|
if current_user.trust_level < SiteSetting.min_trust_level_for_user_api_key
|
||||||
|
@no_trust_level = true
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
@access_description = params[:access].include?("w") ? t("user_api_key.read_write") : t("user_api_key.read")
|
@access_description = params[:access].include?("w") ? t("user_api_key.read_write") : t("user_api_key.read")
|
||||||
@application_name = params[:application_name]
|
@application_name = params[:application_name]
|
||||||
@public_key = params[:public_key]
|
@public_key = params[:public_key]
|
||||||
|
@ -40,6 +45,8 @@ class UserApiKeysController < ApplicationController
|
||||||
@push_url = nil
|
@push_url = nil
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
rescue Discourse::InvalidAccess
|
||||||
|
@generic_error = true
|
||||||
end
|
end
|
||||||
|
|
||||||
def create
|
def create
|
||||||
|
@ -56,7 +63,7 @@ class UserApiKeysController < ApplicationController
|
||||||
raise Discourse::InvalidAccess if current_user.trust_level < SiteSetting.min_trust_level_for_user_api_key
|
raise Discourse::InvalidAccess if current_user.trust_level < SiteSetting.min_trust_level_for_user_api_key
|
||||||
|
|
||||||
request_read = params[:access].include? 'r'
|
request_read = params[:access].include? 'r'
|
||||||
request_push = params[:access].include? 'p'
|
request_read ||= params[:access].include? 'p'
|
||||||
request_write = params[:access].include? 'w'
|
request_write = params[:access].include? 'w'
|
||||||
|
|
||||||
validate_params
|
validate_params
|
||||||
|
@ -68,11 +75,11 @@ class UserApiKeysController < ApplicationController
|
||||||
application_name: params[:application_name],
|
application_name: params[:application_name],
|
||||||
client_id: params[:client_id],
|
client_id: params[:client_id],
|
||||||
read: request_read,
|
read: request_read,
|
||||||
push: request_push,
|
push: params[:push_url].present?,
|
||||||
user_id: current_user.id,
|
user_id: current_user.id,
|
||||||
write: request_write,
|
write: request_write,
|
||||||
key: SecureRandom.hex,
|
key: SecureRandom.hex,
|
||||||
push_url: request_push ? params[:push_url] : nil
|
push_url: params[:push_url]
|
||||||
)
|
)
|
||||||
|
|
||||||
# we keep the payload short so it encrypts easily with public key
|
# we keep the payload short so it encrypts easily with public key
|
||||||
|
@ -118,21 +125,13 @@ class UserApiKeysController < ApplicationController
|
||||||
|
|
||||||
def validate_params(skip_push_check = false)
|
def validate_params(skip_push_check = false)
|
||||||
request_read = params[:access].include? 'r'
|
request_read = params[:access].include? 'r'
|
||||||
request_push = params[:access].include? 'p'
|
request_read ||= params[:access].include? 'p'
|
||||||
request_write = params[:access].include? 'w'
|
request_write = params[:access].include? 'w'
|
||||||
|
|
||||||
raise Discourse::InvalidAccess unless request_read || request_push
|
raise Discourse::InvalidAccess unless request_read || request_push
|
||||||
raise Discourse::InvalidAccess if request_read && !SiteSetting.allow_read_user_api_keys
|
raise Discourse::InvalidAccess if request_read && !SiteSetting.allow_read_user_api_keys
|
||||||
raise Discourse::InvalidAccess if request_write && !SiteSetting.allow_write_user_api_keys
|
raise Discourse::InvalidAccess if request_write && !SiteSetting.allow_write_user_api_keys
|
||||||
|
|
||||||
unless skip_push_check
|
|
||||||
raise Discourse::InvalidAccess if request_push && !SiteSetting.allow_push_user_api_keys
|
|
||||||
|
|
||||||
if request_push && !SiteSetting.allowed_user_api_push_urls.split('|').any?{|u| params[:push_url] == u}
|
|
||||||
raise Discourse::InvalidAccess
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
# our pk has got to parse
|
# our pk has got to parse
|
||||||
OpenSSL::PKey::RSA.new(params[:public_key])
|
OpenSSL::PKey::RSA.new(params[:public_key])
|
||||||
end
|
end
|
||||||
|
|
|
@ -1,5 +1,14 @@
|
||||||
<h1><%= t "user_api_key.title" %></h1>
|
<h1><%= t "user_api_key.title" %></h1>
|
||||||
<div>
|
<div>
|
||||||
|
<% if @no_trust_level %>
|
||||||
|
<h3>
|
||||||
|
<%= t("user_api_key.no_trust_level") %>
|
||||||
|
</h3>
|
||||||
|
<% elsif @generic_error %>
|
||||||
|
<h3>
|
||||||
|
<%= t("user_api_key.generic_error") %>
|
||||||
|
</h3>
|
||||||
|
<% else %>
|
||||||
<p>
|
<p>
|
||||||
<%= t("user_api_key.description", application_name: @application_name, access: @access_description) %>
|
<%= t("user_api_key.description", application_name: @application_name, access: @access_description) %>
|
||||||
</p>
|
</p>
|
||||||
|
@ -14,5 +23,6 @@
|
||||||
<%= submit_tag t('user_api_key.authorize'), class: 'btn btn-danger' %>
|
<%= submit_tag t('user_api_key.authorize'), class: 'btn btn-danger' %>
|
||||||
<% end %>
|
<% end %>
|
||||||
</div>
|
</div>
|
||||||
|
<% end %>
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -646,6 +646,8 @@ en:
|
||||||
read: "read"
|
read: "read"
|
||||||
read_write: "read/write"
|
read_write: "read/write"
|
||||||
description: "Would you like to grant \"%{application_name}\" %{access} access to your account?"
|
description: "Would you like to grant \"%{application_name}\" %{access} access to your account?"
|
||||||
|
no_trust_level: "Sorry, you do not have the required trust level to access the user API"
|
||||||
|
generic_error: "Sorry, we are unable to issue user API keys, this feature may be disabled by the site admin"
|
||||||
|
|
||||||
reports:
|
reports:
|
||||||
visits:
|
visits:
|
||||||
|
|
Loading…
Reference in a new issue