Prevent users from changing API keys for others

It was checking for the permission to create a user which everyone can do. Now it's checking for updating that particular user and doesn't allow generating new keys for other users any more. This would have been an inconvenience but not a big security issue because you can't view the key of another user.
2026-02-04 22:16:08 +00:00 · 2022-10-20 17:56:46 +11:00
parent 7b96a1fb5b
commit fc79612f26
2 changed files with 11 additions and 1 deletions
--- a/app/controllers/spree/api_keys_controller.rb
+++ b/app/controllers/spree/api_keys_controller.rb
@@ -32,7 +32,7 @@ module Spree
    def load_object
      @user ||= find_user
      if @user
-        authorize! params[:action].to_sym, @user
+        authorize! :update, @user
      else
        redirect_to main_app.login_path
      end
--- a/spec/controllers/spree/api_keys_controller_spec.rb
+++ b/spec/controllers/spree/api_keys_controller_spec.rb
@@ -9,6 +9,7 @@ describe Spree::ApiKeysController, type: :controller, performance: true do
  include ControllerRequestsHelper

  let(:user) { create(:user) }
+  let(:other_user) { create(:user) }
  let(:redirect_path) { "#{spree.account_path}#/developer_settings" }

  before do
@@ -21,6 +22,15 @@ describe Spree::ApiKeysController, type: :controller, performance: true do
      expect(user.spree_api_key).to be_present
    end

+    it "denies creating a new api key for other user" do
+      expect {
+        spree_post :create, id: other_user.id
+        other_user.reload
+      }.to_not change {
+        other_user.spree_api_key
+      }
+    end
+
    it "redirects to the api keys tab on account page " do
      spree_post :create
      expect(response).to redirect_to redirect_path