Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

FIX: Include routes in an API scope's allowed URLs even if they have no format constraints 

The Allowed URLs list of an API scope only includes routes that
constraint the format for the route to JSON. However, some routes define
no format constraints, but that doesn't mean they can't be used by an
API key.

This commit amends the logic for the Allowed URLs list so that it
includes routes that have no format constraints or the format
constraints include JSON.
This commit is contained in:
OsamaSayegh 2022-04-06 23:15:06 +03:00 committed by Osama Sayegh
parent cedcdb0057
commit 5eaf4b8553
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
app/models/api_key_scope.rb
View File

@ -120,7 +120,11 @@ class ApiKeyScope < ActiveRecord::Base
defaults = route.defaults defaults = route.defaults
action = "#{defaults[:controller].to_s}##{defaults[:action]}" action = "#{defaults[:controller].to_s}##{defaults[:action]}"
path = route.path.spec.to_s.gsub(/\(\.:format\)/, '') path = route.path.spec.to_s.gsub(/\(\.:format\)/, '')
api_supported_path = path.end_with?('.rss') || route.path.requirements[:format]&.match?('json') api_supported_path = (
path.end_with?('.rss') ||
!route.path.requirements[:format] ||
route.path.requirements[:format].match?('json')
)
excluded_paths = %w[/new-topic /new-message /exception] excluded_paths = %w[/new-topic /new-message /exception]
if actions.include?(action) && api_supported_path && !excluded_paths.include?(path) if actions.include?(action) && api_supported_path && !excluded_paths.include?(path)