CR Comments

7 years ago · 50198b111c
parent 53f2602d5b
commit 50198b111c
3 changed files with 6 additions and 4 deletions
--- a/app/controllers/carto/api/api_keys_controller.rb
+++ b/app/controllers/carto/api/api_keys_controller.rb
@ -72,7 +72,7 @@ class Carto::Api::ApiKeysController < ::Api::ApplicationController
  def load_api_key
    name = params[:id]
    @viewed_api_key = Carto::ApiKey.where(user_id: current_viewer.id, name: name).first
-    if !request_api_key.master? && @viewed_api_key != request_api_key || !@viewed_api_key
+    if !@viewed_api_key || !request_api_key.master? && @viewed_api_key != request_api_key
      raise Carto::LoadError.new("API key not found: #{name}")
    end
  end
--- a/app/models/carto/api_key.rb
+++ b/app/models/carto/api_key.rb
@ -116,7 +116,7 @@ module Carto
    end

    def self.create_in_memory_master(user: Carto::User.find(scope_attributes['user_id']))
-      new(
+      api_key = new(
        user: user,
        type: TYPE_MASTER,
        name: NAME_MASTER,
@ -125,6 +125,8 @@ module Carto
        db_role: user.database_username,
        db_password: user.database_password
      )
+      api_key.readonly!
+      api_key
    end

    def self.new_from_hash(api_key_hash)
--- a/config/initializers/warden.rb
+++ b/config/initializers/warden.rb
@ -309,14 +309,14 @@ module Carto::Api::AuthApiAuthentication
    match && match[:auth]
  end

-  def authenticate_user(master_key)
+  def authenticate_user(require_master_key)
    decoded_auth = Base64.decode64(base64_auth)
    user_name, token = decoded_auth.split(':')
    return fail! unless user_name == CartoDB.extract_subdomain(request)

    user_id = $users_metadata.HGET("rails:users:#{user_name}", 'id')
    api_key = Carto::ApiKey.where(user_id: user_id, token: token)
-    api_key = master_key ? api_key.master : api_key
+    api_key = require_master_key ? api_key.master : api_key
    return fail! unless api_key.exists?

    Carto::Api::AuthApiAuthentication.from_header = true # TODO remove this when user's api_key field is removed