osr-plastic/osr-discourse-src
Archived
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

SECURITY: don't grant same privileges to user_api and api access

Browse Source 
User API is no longer gets bypasses that standard API gets.
Only bypasses are CSRF and XHR requirements.
This commit is contained in:
Sam
2016-12-16 12:05:20 +11:00
parent 40fc83843b
commit e23af6eea4
6 changed files with 24 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/controllers/posts_controller.rb
+1 -1
View File
@@ -467,7 +467,7 @@ class PostsController < ApplicationController
json_obj = json_obj[:post]
end
if !success && GlobalSetting.try(:verbose_api_logging) && is_api?
if !success && GlobalSetting.try(:verbose_api_logging) && (is_api? || is_user_api?)
Rails.logger.error "Error creating post via API:\n\n#{json_obj.inspect}"
end