mirror of
https://github.com/openfoodfoundation/openfoodnetwork
synced 2026-01-25 20:46:48 +00:00
fc79612f26
It was checking for the permission to create a user which everyone can do. Now it's checking for updating that particular user and doesn't allow generating new keys for other users any more. This would have been an inconvenience but not a big security issue because you can't view the key of another user.
58 lines
1.1 KiB
Ruby
58 lines
1.1 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
module Spree
|
|
class ApiKeysController < ::BaseController
|
|
include Spree::Core::ControllerHelpers
|
|
include I18nHelper
|
|
|
|
prepend_before_action :load_object
|
|
|
|
def create
|
|
@user.generate_api_key
|
|
|
|
if @user.save
|
|
flash[:success] = t('spree.api.key_generated')
|
|
end
|
|
|
|
redirect_to redirect_path
|
|
end
|
|
|
|
def destroy
|
|
@user.spree_api_key = nil
|
|
|
|
if @user.save
|
|
flash[:success] = t('spree.api.key_cleared')
|
|
end
|
|
|
|
redirect_to redirect_path
|
|
end
|
|
|
|
private
|
|
|
|
def load_object
|
|
@user ||= find_user
|
|
if @user
|
|
authorize! :update, @user
|
|
else
|
|
redirect_to main_app.login_path
|
|
end
|
|
end
|
|
|
|
def find_user
|
|
Spree::User.find_by(id: params[:id]) || spree_current_user
|
|
end
|
|
|
|
def redirect_path
|
|
if request.referer.blank? || request.referer.include?(spree.account_path)
|
|
developer_settings_path
|
|
else
|
|
request.referer
|
|
end
|
|
end
|
|
|
|
def developer_settings_path
|
|
"#{spree.account_path}#/developer_settings"
|
|
end
|
|
end
|
|
end
|