From e8424bd54e4c7d1bff5f8c3f87f931648ee94020 Mon Sep 17 00:00:00 2001
From: Robin Ward <robin.ward@gmail.com>
Date: Wed, 14 Oct 2015 15:40:23 -0400
Subject: [PATCH] SECURITY: Moderators should not see API keys
---
.../admin/templates/user-index.hbs | 36 ++++++++++---------
.../admin_detailed_user_serializer.rb | 2 +-
2 files changed, 20 insertions(+), 18 deletions(-)
diff --git a/app/assets/javascripts/admin/templates/user-index.hbs b/app/assets/javascripts/admin/templates/user-index.hbs
index 1df839467..bdbee2e53 100644
--- a/app/assets/javascripts/admin/templates/user-index.hbs
+++ b/app/assets/javascripts/admin/templates/user-index.hbs
@@ -203,23 +203,25 @@
</div>
</div>
- <div class='display-row'>
- <div class='field'>{{i18n 'admin.api.key'}}</div>
- {{#if model.api_key}}
- <div class='long-value'>
- {{model.api_key.key}}
- {{d-button action="regenerateApiKey" icon="undo" label="admin.api.regenerate"}}
- {{d-button action="revokeApiKey" icon="times" label="admin.api.revoke"}}
- </div>
- {{else}}
- <div class='value'>
- —
- </div>
- <div class='controls'>
- {{d-button action="generateApiKey" icon="key" label="admin.api.generate"}}
- </div>
- {{/if}}
- </div>
+ {{#if currentUser.admin}}
+ <div class='display-row'>
+ <div class='field'>{{i18n 'admin.api.key'}}</div>
+ {{#if model.api_key}}
+ <div class='long-value'>
+ {{model.api_key.key}}
+ {{d-button action="regenerateApiKey" icon="undo" label="admin.api.regenerate"}}
+ {{d-button action="revokeApiKey" icon="times" label="admin.api.revoke"}}
+ </div>
+ {{else}}
+ <div class='value'>
+ —
+ </div>
+ <div class='controls'>
+ {{d-button action="generateApiKey" icon="key" label="admin.api.generate"}}
+ </div>
+ {{/if}}
+ </div>
+ {{/if}}
<div class='display-row'>
<div class='field'>{{i18n 'admin.user.admin'}}</div>
diff --git a/app/serializers/admin_detailed_user_serializer.rb b/app/serializers/admin_detailed_user_serializer.rb
index 02c84bd00..29a93fc2c 100644
--- a/app/serializers/admin_detailed_user_serializer.rb
+++ b/app/serializers/admin_detailed_user_serializer.rb
@@ -65,7 +65,7 @@ class AdminDetailedUserSerializer < AdminUserSerializer
end
def include_api_key?
- api_key.present?
+ scope.is_admin? && api_key.present?
end
def suspended_by