id is optional if already specified in header

2016-09-02 17:08:46 +10:00 · 2016-09-02 17:08:46 +10:00 · 1d281e02c7
parent be0fd5b4cc
commit 1d281e02c7
2 changed files with 16 additions and 1 deletions
--- a/app/controllers/user_api_keys_controller.rb
+++ b/app/controllers/user_api_keys_controller.rb
@ -90,14 +90,18 @@ class UserApiKeysController < ApplicationController
  end

  def revoke
-    revoke_key = find_key
+    revoke_key = find_key if params[:id]
+
    if current_key = request.env['HTTP_USER_API_KEY']
      request_key = UserApiKey.find_by(key: current_key)
+      revoke_key ||= request_key
      if request_key && request_key.id != revoke_key.id && !request_key.write
        raise Discourse::InvalidAccess
      end
    end

+    raise Discourse::NotFound unless revoke_key
+
    revoke_key.update_columns(revoked_at: Time.zone.now)

    render json: success_json
--- a/spec/controllers/user_api_keys_controller_spec.rb
+++ b/spec/controllers/user_api_keys_controller_spec.rb
@ -94,6 +94,17 @@ TXT

    end

+    it "allows for a revoke with no id" do
+      key = Fabricate(:readonly_user_api_key)
+      request.env['HTTP_USER_API_KEY'] = key.key
+      post :revoke
+
+      expect(response.status).to eq(200)
+
+      key.reload
+      expect(key.revoked_at).not_to eq(nil)
+    end
+
    it "will not allow readonly api keys to revoke others" do
      key1 = Fabricate(:readonly_user_api_key)
      key2 = Fabricate(:readonly_user_api_key)