From 5eaf4b8553be3a743dbfdd0365a17e59548fe1e4 Mon Sep 17 00:00:00 2001 From: OsamaSayegh Date: Wed, 6 Apr 2022 23:15:06 +0300 Subject: [PATCH] FIX: Include routes in an API scope's allowed URLs even if they have no format constraints The Allowed URLs list of an API scope only includes routes that constraint the format for the route to JSON. However, some routes define no format constraints, but that doesn't mean they can't be used by an API key. This commit amends the logic for the Allowed URLs list so that it includes routes that have no format constraints or the format constraints include JSON. --- app/models/api_key_scope.rb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/app/models/api_key_scope.rb b/app/models/api_key_scope.rb index a0b86bf590b..b829ae479a6 100644 --- a/app/models/api_key_scope.rb +++ b/app/models/api_key_scope.rb @@ -120,7 +120,11 @@ class ApiKeyScope < ActiveRecord::Base defaults = route.defaults action = "#{defaults[:controller].to_s}##{defaults[:action]}" path = route.path.spec.to_s.gsub(/\(\.:format\)/, '') - api_supported_path = path.end_with?('.rss') || route.path.requirements[:format]&.match?('json') + api_supported_path = ( + path.end_with?('.rss') || + !route.path.requirements[:format] || + route.path.requirements[:format].match?('json') + ) excluded_paths = %w[/new-topic /new-message /exception] if actions.include?(action) && api_supported_path && !excluded_paths.include?(path)