SECURITY: Correct permission check when revoking user API keys

This commit is contained in:
David Taylor 2019-12-17 10:56:16 +00:00
parent 81b4de39ee
commit 8106d94c05
2 changed files with 14 additions and 1 deletions

View File

@ -167,7 +167,7 @@ class UserApiKeysController < ApplicationController
def find_key
key = UserApiKey.find(params[:id])
raise Discourse::InvalidAccess unless current_user.admin || key.user_id = current_user.id
raise Discourse::InvalidAccess unless current_user.admin || key.user_id == current_user.id
key
end

View File

@ -133,6 +133,19 @@ describe UserApiKeysController do
expect(key.revoked_at).not_to eq(nil)
end
it "will not allow revoking another users key" do
key = Fabricate(:readonly_user_api_key)
acting_user = Fabricate(:user)
sign_in(acting_user)
post "/user-api-key/revoke.json",
params: { id: key.id }
expect(response.status).to eq(403)
key.reload
expect(key.revoked_at).to eq(nil)
end
it "will not return p access if not yet configured" do
SiteSetting.min_trust_level_for_user_api_key = 0
SiteSetting.allowed_user_api_auth_redirects = args[:auth_redirect]