chinwag/chinwagsocial
chinwag/chinwagsocial
2
0
Fork 0
Code Issues Pull requests Releases 14 Wiki Activity

Fix suspended users being able to access APIs that don't require a user (#18524)

Browse source
This commit is contained in:
Eugen Rochko 2022-05-26 22:04:05 +02:00 committed by GitHub
commit 9f81b9f29a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 6 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
app/controllers/api/base_controller.rb
View file

@ -11,6 +11,7 @@ class Api::BaseController < ApplicationController
skip_before_action :require_functional!, unless: :whitelist_mode?
before_action :require_authenticated_user!, if: :disallow_unauthenticated_api_access?
before_action :require_not_suspended!
before_action :set_cache_headers
protect_from_forgery with: :null_session
@ -97,6 +98,10 @@ class Api::BaseController < ApplicationController
render json: { error: 'This method requires an authenticated user' }, status: 401 unless current_user
end
def require_not_suspended!
render json: { error: 'Your login is currently disabled' }, status: 403 if current_user&.account&.suspended?
end
def require_user!
if !current_user
render json: { error: 'This method requires an authenticated user' }, status: 422