From 2d859ba0ed5ce541a1304e3abfe263f7462276e4 Mon Sep 17 00:00:00 2001 From: Sam Date: Mon, 12 Sep 2016 15:42:06 +1000 Subject: [PATCH] FIX: user api should always be available to staff --- app/controllers/user_api_keys_controller.rb | 8 ++++++-- spec/controllers/user_api_keys_controller_spec.rb | 13 +++++++++++++ 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/app/controllers/user_api_keys_controller.rb b/app/controllers/user_api_keys_controller.rb index d4f8dfb6eb..8b532a1009 100644 --- a/app/controllers/user_api_keys_controller.rb +++ b/app/controllers/user_api_keys_controller.rb @@ -24,7 +24,7 @@ class UserApiKeysController < ApplicationController return end - if current_user.trust_level < SiteSetting.min_trust_level_for_user_api_key + unless meets_tl? @no_trust_level = true return end @@ -53,7 +53,7 @@ class UserApiKeysController < ApplicationController raise Discourse::InvalidAccess end - raise Discourse::InvalidAccess if current_user.trust_level < SiteSetting.min_trust_level_for_user_api_key + raise Discourse::InvalidAccess unless meets_tl? request_read = params[:access].include? 'r' request_read ||= params[:access].include? 'p' @@ -142,4 +142,8 @@ class UserApiKeysController < ApplicationController OpenSSL::PKey::RSA.new(params[:public_key]) end + def meets_tl? + current_user.staff? || current_user.trust_level >= SiteSetting.min_trust_level_for_user_api_key + end + end diff --git a/spec/controllers/user_api_keys_controller_spec.rb b/spec/controllers/user_api_keys_controller_spec.rb index 92bc23404f..7ad898b1e2 100644 --- a/spec/controllers/user_api_keys_controller_spec.rb +++ b/spec/controllers/user_api_keys_controller_spec.rb @@ -66,6 +66,19 @@ TXT expect(response.code).to eq("403") end + it "will allow tokens for staff without TL" do + + SiteSetting.min_trust_level_for_user_api_key = 2 + SiteSetting.allowed_user_api_auth_redirects = args[:auth_redirect] + + user = Fabricate(:user, trust_level: 1, moderator: true) + + log_in_user(user) + + post :create, args + expect(response.code).to eq("302") + end + it "will not create token unless TL is met" do SiteSetting.min_trust_level_for_user_api_key = 2 SiteSetting.allowed_user_api_auth_redirects = args[:auth_redirect]