main ← scope-reviewable-guardian-for-api-request
opened 06:49PM - 24 Apr 23 UTC
# Context
https://meta.discourse.org/t/missing-translate-in-review-page/26260…4
An additional button was added as a result of https://github.com/discourse/discourse/commit/dd495a0e194928fb2a11a14ff9b3403f61df1259 which was intended to grant access to deleting reviewable from the API.
We were being too flexible by only checking if the user was an admin
https://github.com/discourse/discourse/blob/012aaf0ba32890a93f913b469681792341198ecc/lib/guardian.rb#L237
where it should instead by scoped to check if the request was an API call.
# Fix
https://github.com/discourse/discourse/pull/21226/files#diff-0a2548be4b18bd4ef2dffb3ef8e44984d2fef7f037b53e98f67abea52ef75aa2R237
# Additions
Added a new guard of `is_api?`
https://github.com/discourse/discourse/pull/21226/files#diff-0a2548be4b18bd4ef2dffb3ef8e44984d2fef7f037b53e98f67abea52ef75aa2R657-R660
In `app/models/reviewable.rb` we check if the user has the permissions to the destroy action via the `Guardian`. To do this we were instantiating a new `Guardian` class which then caused us to lose the context of the request. The request is a necessary component in the guard of `is_api?` so we needed to pass the already defined Guardian from the `app/controllers/reviewables_controller.rb` to the `#perform` method to ensure the request is present.
