[openstreetmap/openstreetmap-website] Rework capabilities to avoid assumptions about missing tokens (71b21ec)
Tom Hughes
notifications at github.com
Wed Oct 24 11:59:03 UTC 2018
So that turns out to be quite a complicated question ;-)
So firstly `current_token` will be set whenever the rack filter saw a request with a valid OAuth signature, but it might only be a request token that hasn't been authorised yet - that could be checked with `.is_a?(AccessToken)` if we wanted.
Secondly if it is an access token and `setup_user_auth` has been run then `current_user` will be set to the token's user by the `Authenticator.new(self, [:token]).allow?` call - strictly that would probably be the best way to validate the token before using to check capabilities but it is a bit nasty in that it wants a controller and will try and send a response if the token is invalid so we probably can't/don't want to use that.
So in principle there is no security issue so long as we check the token is an access token but on the other hand if `setup_user_auth` hasn't been called then `current_user` won't be set and although things might be allowed they might not actually work ;-)
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/commit/71b21ec47371c7210dfcb234f7bfa0adf00efad1#commitcomment-31026007
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20181024/f678b85f/attachment.html>
More information about the rails-dev
mailing list