[openstreetmap/openstreetmap-website] Use only token capabilities when a token is provided (#2083)
Andy Allan
notifications at github.com
Thu Dec 13 10:01:10 UTC 2018
Ah, sorry about that. I think your approach is fine for now, because the tokens are only set up for particular actions (via `authorize` vs `authorize_web`).
I want to avoid allowing tokens (and basic auth) to be used for non-api methods by mistake, so technically they shouldn't get all the permissions from Ability.new(nil) since that includes a lot of non-API methods. But we can come back to this later, since (afaict) it doesn't matter yet.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/2083#issuecomment-446910290
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20181213/6b85f5d1/attachment.html>
More information about the rails-dev
mailing list