mirror of
https://github.com/discourse/discourse.git
synced 2024-12-14 17:53:42 +08:00
SECURITY: Correct permission check when revoking user API keys
This commit is contained in:
parent
1c49875048
commit
ff4a6a37de
|
@ -164,7 +164,7 @@ class UserApiKeysController < ApplicationController
|
||||||
|
|
||||||
def find_key
|
def find_key
|
||||||
key = UserApiKey.find(params[:id])
|
key = UserApiKey.find(params[:id])
|
||||||
raise Discourse::InvalidAccess unless current_user.admin || key.user_id = current_user.id
|
raise Discourse::InvalidAccess unless current_user.admin || key.user_id == current_user.id
|
||||||
key
|
key
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -133,6 +133,19 @@ describe UserApiKeysController do
|
||||||
expect(key.revoked_at).not_to eq(nil)
|
expect(key.revoked_at).not_to eq(nil)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it "will not allow revoking another users key" do
|
||||||
|
key = Fabricate(:readonly_user_api_key)
|
||||||
|
acting_user = Fabricate(:user)
|
||||||
|
sign_in(acting_user)
|
||||||
|
|
||||||
|
post "/user-api-key/revoke.json",
|
||||||
|
params: { id: key.id }
|
||||||
|
|
||||||
|
expect(response.status).to eq(403)
|
||||||
|
key.reload
|
||||||
|
expect(key.revoked_at).to eq(nil)
|
||||||
|
end
|
||||||
|
|
||||||
it "will not return p access if not yet configured" do
|
it "will not return p access if not yet configured" do
|
||||||
SiteSetting.min_trust_level_for_user_api_key = 0
|
SiteSetting.min_trust_level_for_user_api_key = 0
|
||||||
SiteSetting.allowed_user_api_auth_redirects = args[:auth_redirect]
|
SiteSetting.allowed_user_api_auth_redirects = args[:auth_redirect]
|
||||||
|
|
Loading…
Reference in New Issue
Block a user