discourse/lib/auth/current_user_provider.rb
Sam 6ff309aa80 SECURITY: don't grant same privileges to user_api and api access
User API is no longer gets bypasses that standard API gets.
Only bypasses are CSRF and XHR requirements.
2016-12-16 12:05:43 +11:00

43 lines
916 B
Ruby

module Auth; end
class Auth::CurrentUserProvider
# do all current user initialization here
def initialize(env)
raise NotImplementedError
end
# our current user, return nil if none is found
def current_user
raise NotImplementedError
end
# log on a user and set cookies and session etc.
def log_on_user(user,session,cookies)
raise NotImplementedError
end
# optional interface to be called to refresh cookies etc if needed
def refresh_session(user,session,cookies)
end
# api has special rights return true if api was detected
def is_api?
raise NotImplementedError
end
def is_user_api?
raise NotImplementedError
end
# we may need to know very early on in the middleware if an auth token
# exists, to optimise caching
def has_auth_cookie?
raise NotImplementedError
end
def log_off_user(session, cookies)
raise NotImplementedError
end
end