SECURITY: don't grant same privileges to user_api and api access

User API is no longer gets bypasses that standard API gets.
Only bypasses are CSRF and XHR requirements.

app/controllers/application_controller.rb

@@ -25,7 +25,7 @@ class ApplicationController < ActionController::Base
   #  and then raising a CSRF exception
   def handle_unverified_request
     # NOTE: API key is secret, having it invalidates the need for a CSRF token
-    unless is_api?
+    unless is_api? || is_user_api?
       super
       clear_current_user
       render text: "['BAD CSRF']", status: 403
@@ -501,7 +501,7 @@ class ApplicationController < ActionController::Base
 
     def check_xhr
       # bypass xhr check on PUT / POST / DELETE provided api key is there, otherwise calling api is annoying
-      return if !request.get? && is_api?
+      return if !request.get? && (is_api? || is_user_api?)
       raise RenderEmpty.new unless ((request.format && request.format.json?) || request.xhr?)
     end