SECURITY: Correct permission check when revoking user API keys
This commit is contained in:
parent
81b4de39ee
commit
8106d94c05
|
@ -167,7 +167,7 @@ class UserApiKeysController < ApplicationController
|
|||
|
||||
def find_key
|
||||
key = UserApiKey.find(params[:id])
|
||||
raise Discourse::InvalidAccess unless current_user.admin || key.user_id = current_user.id
|
||||
raise Discourse::InvalidAccess unless current_user.admin || key.user_id == current_user.id
|
||||
key
|
||||
end
|
||||
|
||||
|
|
|
@ -133,6 +133,19 @@ describe UserApiKeysController do
|
|||
expect(key.revoked_at).not_to eq(nil)
|
||||
end
|
||||
|
||||
it "will not allow revoking another users key" do
|
||||
key = Fabricate(:readonly_user_api_key)
|
||||
acting_user = Fabricate(:user)
|
||||
sign_in(acting_user)
|
||||
|
||||
post "/user-api-key/revoke.json",
|
||||
params: { id: key.id }
|
||||
|
||||
expect(response.status).to eq(403)
|
||||
key.reload
|
||||
expect(key.revoked_at).to eq(nil)
|
||||
end
|
||||
|
||||
it "will not return p access if not yet configured" do
|
||||
SiteSetting.min_trust_level_for_user_api_key = 0
|
||||
SiteSetting.allowed_user_api_auth_redirects = args[:auth_redirect]
|
||||
|
|
Loading…
Reference in New Issue