[openstreetmap/openstreetmap-website] Use only token capabilities when a token is provided (#2083)
Andy Allan
notifications at github.com
Wed Dec 12 15:17:03 UTC 2018
The Authenticate#allow? method (from oauth-plugin) sets `current_user` as a side effect of checking the token. But this allowed a valid token to access all actions that are available to that user, beyond the capabilities for that token.
This PR changes that, so that if there is a token, only the permissions from the Capability class are used. I've added a couple of tests that illustrate the change, to show that with the new approach you definitely need the allow_read_prefs permission on a token.
I went for the @request.env fiddling to make the request, since creating a fully signed request (as used in test/integration/oauth_test) is a bit more complex than I would like. But I'm open to other suggestions.
You can view, comment on, or merge this pull request online at:
https://github.com/openstreetmap/openstreetmap-website/pull/2083
-- Commit Summary --
* Use only token capabilities when a token is provided
-- File Changes --
M app/controllers/application_controller.rb (4)
M test/controllers/user_preferences_controller_test.rb (31)
-- Patch Links --
https://github.com/openstreetmap/openstreetmap-website/pull/2083.patch
https://github.com/openstreetmap/openstreetmap-website/pull/2083.diff
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/2083
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20181212/e09d1729/attachment.html>
More information about the rails-dev
mailing list