As some of you might know we’re developing a PHP REST API client. We’re running into a lot of problems though.
- Trying to change some site settings but this doesn’t work. My Ruby knowledge is pretty limited, but this is what I think is happening.
First, some code snippets.
Discourse::Application.routes.draw do ... namespace :admin, constraints: StaffConstraint.new do get '' => 'admin#index' resources :site_settings, constraints: AdminConstraint.new
class AdminConstraint def matches?(request) return false unless request.session[:current_user_id].present? User.admins.where(id: request.session[:current_user_id].to_i).exists? end end
# possible we have an api call, impersonate unless @current_user if api_key = request["api_key"] if api_username = request["api_username"] if SiteSetting.api_key_valid?(api_key) @is_api = true @current_user = User.where(username_lower: api_username.downcase).first end end end end
As far as I understand, this is the problem: the StaffConstraint and AdminConstraint check the session and not the user object, thus causing the API impersonation to fail and to treat the request as if no one was logged in, obviously denying changing the site_setting.
- Creating a user on an invite only forum fails. Yes that makes sense on a user interface but does it make sense if the API is being used ?
class UsersController < ApplicationController ... def create return fake_success_response if suspicious? params ... def suspicious?(params) honeypot_or_challenge_fails?(params) || SiteSetting.invite_only? end
Why is this honeypot complicating things anyway? That is security by obscurity…