From a37db9448f35c31bcd2df4c016fd4535a408a057 Mon Sep 17 00:00:00 2001
From: Sam <sam.saffron@gmail.com>
Date: Fri, 26 Aug 2016 13:12:38 +1000
Subject: [PATCH] correctly return access rights in auth redirect

---
 app/models/user_api_key.rb                    |  3 +-
 .../user_api_keys_controller_spec.rb          | 30 +++++++++++++++++++
 2 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/app/models/user_api_key.rb b/app/models/user_api_key.rb
index 9d518942db9..b8709328f76 100644
--- a/app/models/user_api_key.rb
+++ b/app/models/user_api_key.rb
@@ -2,7 +2,8 @@ class UserApiKey < ActiveRecord::Base
   belongs_to :user
 
   def access
-    "#{read ? "r" : ""}#{write ? "w" : ""}#{push ? "p" : ""}"
+    has_push = push && push_url.present? && SiteSetting.allowed_user_api_push_urls.include?(push_url)
+    "#{read ? "r" : ""}#{write ? "w" : ""}#{has_push ? "p" : ""}"
   end
 end
 
diff --git a/spec/controllers/user_api_keys_controller_spec.rb b/spec/controllers/user_api_keys_controller_spec.rb
index 260da46f92c..77383aed4e1 100644
--- a/spec/controllers/user_api_keys_controller_spec.rb
+++ b/spec/controllers/user_api_keys_controller_spec.rb
@@ -94,6 +94,35 @@ TXT
 
     end
 
+    it "will not return p access if not yet configured" do
+      SiteSetting.min_trust_level_for_user_api_key = 0
+      SiteSetting.allowed_user_api_auth_redirects = args[:auth_redirect]
+
+      args[:access] = "pr"
+      args[:push_url] = "https://push.it/here"
+
+      user = Fabricate(:user, trust_level: 0)
+
+      log_in_user(user)
+
+      post :create, args
+      expect(response.code).to eq("302")
+
+      uri = URI.parse(response.redirect_url)
+
+      query = uri.query
+      payload = query.split("payload=")[1]
+      encrypted = Base64.decode64(CGI.unescape(payload))
+
+      key = OpenSSL::PKey::RSA.new(private_key)
+
+      parsed = JSON.parse(key.private_decrypt(encrypted))
+
+      expect(parsed["nonce"]).to eq(args[:nonce])
+      expect(parsed["access"].split('').sort).to eq(['r'])
+
+    end
+
     it "will redirect correctly with valid token" do
 
       SiteSetting.min_trust_level_for_user_api_key = 0
@@ -122,6 +151,7 @@ TXT
       parsed = JSON.parse(key.private_decrypt(encrypted))
 
       expect(parsed["nonce"]).to eq(args[:nonce])
+      expect(parsed["access"].split('').sort).to eq(['p','r', 'w'])
 
       api_key = UserApiKey.find_by(key: parsed["key"])