From b7bdaac08153a037efa8fa411605383c9e7c4a19 Mon Sep 17 00:00:00 2001 From: Robin Ward Date: Wed, 14 Oct 2015 15:40:23 -0400 Subject: [PATCH] SECURITY: Moderators should not see API keys --- .../admin/templates/user-index.hbs | 36 ++++++++++--------- .../admin_detailed_user_serializer.rb | 2 +- 2 files changed, 20 insertions(+), 18 deletions(-) diff --git a/app/assets/javascripts/admin/templates/user-index.hbs b/app/assets/javascripts/admin/templates/user-index.hbs index 1df83946718..bdbee2e5368 100644 --- a/app/assets/javascripts/admin/templates/user-index.hbs +++ b/app/assets/javascripts/admin/templates/user-index.hbs @@ -203,23 +203,25 @@ -
-
{{i18n 'admin.api.key'}}
- {{#if model.api_key}} -
- {{model.api_key.key}} - {{d-button action="regenerateApiKey" icon="undo" label="admin.api.regenerate"}} - {{d-button action="revokeApiKey" icon="times" label="admin.api.revoke"}} -
- {{else}} -
- — -
-
- {{d-button action="generateApiKey" icon="key" label="admin.api.generate"}} -
- {{/if}} -
+ {{#if currentUser.admin}} +
+
{{i18n 'admin.api.key'}}
+ {{#if model.api_key}} +
+ {{model.api_key.key}} + {{d-button action="regenerateApiKey" icon="undo" label="admin.api.regenerate"}} + {{d-button action="revokeApiKey" icon="times" label="admin.api.revoke"}} +
+ {{else}} +
+ — +
+
+ {{d-button action="generateApiKey" icon="key" label="admin.api.generate"}} +
+ {{/if}} +
+ {{/if}}
{{i18n 'admin.user.admin'}}
diff --git a/app/serializers/admin_detailed_user_serializer.rb b/app/serializers/admin_detailed_user_serializer.rb index 02c84bd0009..29a93fc2cde 100644 --- a/app/serializers/admin_detailed_user_serializer.rb +++ b/app/serializers/admin_detailed_user_serializer.rb @@ -65,7 +65,7 @@ class AdminDetailedUserSerializer < AdminUserSerializer end def include_api_key? - api_key.present? + scope.is_admin? && api_key.present? end def suspended_by