diff --git a/app/controllers/static_controller.rb b/app/controllers/static_controller.rb index a2d6f11afb1..d7dee2377bd 100644 --- a/app/controllers/static_controller.rb +++ b/app/controllers/static_controller.rb @@ -81,7 +81,7 @@ class StaticController < ApplicationController uri.path !~ /\./ destination = uri.path - destination = "#{uri.path}?#{uri.query}" if uri.path =~ /new-topic/ || uri.path =~ /new-message/ + destination = "#{uri.path}?#{uri.query}" if uri.path =~ /new-topic/ || uri.path =~ /new-message/ || uri.path =~ /user-api-key/ end rescue URI::InvalidURIError # Do nothing if the URI is invalid diff --git a/app/controllers/user_api_keys_controller.rb b/app/controllers/user_api_keys_controller.rb index d870142b18f..cfa80de4651 100644 --- a/app/controllers/user_api_keys_controller.rb +++ b/app/controllers/user_api_keys_controller.rb @@ -1,22 +1,36 @@ class UserApiKeysController < ApplicationController + layout 'no_ember' + skip_before_filter :redirect_to_login_if_required, only: [:new] - skip_before_filter :check_xhr + skip_before_filter :check_xhr, :preload_json before_filter :ensure_logged_in, only: [:create] def new + require_params + validate_params + + unless current_user + cookies[:destination_url] = request.fullpath + redirect_to path('/login') + return + end + + @access_description = params[:access].include?("w") ? t("user_api_key.read_write") : t("user_api_key.read") + @application_name = params[:application_name] + @public_key = params[:public_key] + @nonce = params[:nonce] + @access = params[:access] + @client_id = params[:client_id] + @auth_redirect = params[:auth_redirect] + @application_name = params[:application_name] + @push_url = params[:push_url] end def create - [ - :public_key, - :nonce, - :access, - :client_id, - :auth_redirect, - :application_name - ].each{|p| params.require(p)} + require_params + unless SiteSetting.allowed_user_api_auth_redirects .split('|') @@ -31,14 +45,7 @@ class UserApiKeysController < ApplicationController request_push = params[:access].include? 'p' request_write = params[:access].include? 'w' - raise Discourse::InvalidAccess unless request_read || request_push - raise Discourse::InvalidAccess if request_read && !SiteSetting.allow_read_user_api_keys - raise Discourse::InvalidAccess if request_write && !SiteSetting.allow_write_user_api_keys - raise Discourse::InvalidAccess if request_push && !SiteSetting.allow_push_user_api_keys - - if request_push && !SiteSetting.allowed_user_api_push_urls.split('|').any?{|u| params[:push_url] == u} - raise Discourse::InvalidAccess - end + validate_params key = UserApiKey.create!( application_name: params[:application_name], @@ -65,4 +72,33 @@ class UserApiKeysController < ApplicationController redirect_to "#{params[:auth_redirect]}?payload=#{CGI.escape(payload)}" end + def require_params + [ + :public_key, + :nonce, + :access, + :client_id, + :auth_redirect, + :application_name + ].each{|p| params.require(p)} + end + + def validate_params + request_read = params[:access].include? 'r' + request_push = params[:access].include? 'p' + request_write = params[:access].include? 'w' + + raise Discourse::InvalidAccess unless request_read || request_push + raise Discourse::InvalidAccess if request_read && !SiteSetting.allow_read_user_api_keys + raise Discourse::InvalidAccess if request_write && !SiteSetting.allow_write_user_api_keys + raise Discourse::InvalidAccess if request_push && !SiteSetting.allow_push_user_api_keys + + if request_push && !SiteSetting.allowed_user_api_push_urls.split('|').any?{|u| params[:push_url] == u} + raise Discourse::InvalidAccess + end + + # our pk has got to parse + OpenSSL::PKey::RSA.new(params[:public_key]) + end + end diff --git a/app/views/user_api_keys/new.html.erb b/app/views/user_api_keys/new.html.erb new file mode 100644 index 00000000000..04044f36f3c --- /dev/null +++ b/app/views/user_api_keys/new.html.erb @@ -0,0 +1,18 @@ +

<%= t "user_api_key.title" %>

+
+

+ <%= t("user_api_key.description", application_name: @application_name, access: @access_description) %> +

+<%= form_tag(user_api_key_path) do %> + <%= hidden_field_tag 'application_name', @application_name %> + <%= hidden_field_tag 'access', @access %> + <%= hidden_field_tag 'nonce', @nonce %> + <%= hidden_field_tag 'client_id', @client_id %> + <%= hidden_field_tag 'auth_redirect', @auth_redirect %> + <%= hidden_field_tag 'push_url', @push_url %> + <%= hidden_field_tag 'public_key', @public_key%> + <%= submit_tag t('user_api_key.authorize'), class: 'btn btn-danger' %> +<% end %> +
+ + diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml index 41b3d6930da..0dece24a282 100644 --- a/config/locales/server.en.yml +++ b/config/locales/server.en.yml @@ -640,6 +640,13 @@ en: not_found_description: "Sorry, we couldn't find this unsubscribe. It's possible the link in your email has expired?" log_out: "Log Out" + user_api_key: + title: "Authorize application access" + authorize: "Authorize" + read: "read" + read_write: "read/write" + description: "Would you like to grant \"%{application_name}\" %{access} access to your account?" + reports: visits: title: "User Visits" diff --git a/config/routes.rb b/config/routes.rb index 5f8b1b45f54..dd3b1e4a02c 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -663,7 +663,7 @@ Discourse::Application.routes.draw do root to: "list#top", constraints: HomePageConstraint.new("top"), :as => "top_lists" get "/user-api-key/new" => "user_api_keys#new" - post "/user-api-key/new" => "user_api_keys#create" + post "/user-api-key" => "user_api_keys#create" get "*url", to: 'permalinks#show', constraints: PermalinkConstraint.new