Triggering a backup via admin API causes the api_key to become only valid for system user


(Michael Brown) #1

Before:

Reproduction:

$ api_key=340496f95ab2f28cc45f575cbfcc28edd10db076beb1139da14b3fa80bb23dd2
$ curl -XPOST -H 'Content-Type: application/json' "http://discoursedev:3000/admin/backups.json?api_key=$api_key&api_username=michael" -d '{ "with_uploads": true }'
{"success":"OK"}
$ curl "http://discoursedev:3000/admin/backups.json?api_key=$api_key&api_username=michael"
(HTML error page as I'm in development mode)
$ curl "http://discoursedev:3000/admin/backups.json?api_key=$api_key&api_username=system"
[{"filename":"discourse-2018-01-12-112341-v20180111092141.sql.gz","size":3216556,"link":"//discourse/admin/backups/discourse-2018-01-12-112341-v20180111092141.sql.gz"}]

After:


(Sam Saffron) #2

Can you look at the underlying table, before and after?

bin/rails c
> ApiKey.all

(Michael Brown) #3

Before

[4] pry(main)> ApiKey.all
  ApiKey Load (0.4ms)  SELECT "api_keys".* FROM "api_keys"
=> [#<ApiKey:0x0000000d615e38
  id: 3,
  key: "scoobydoowhereareyou",
  user_id: nil,
  created_by_id: -1,
  created_at: Mon, 15 Jan 2018 16:20:10 UTC +00:00,
  updated_at: Mon, 15 Jan 2018 16:20:10 UTC +00:00,
  allowed_ips: nil,
  hidden: false>]

Operation

○ → curl -XPOST -H 'Content-Type: application/json' \
  "http://discoursedev:3000/admin/backups.json?api_key=scoobydoowhereareyou&api_username=michael" \
  -d '{ "with_uploads": true }'
{"success":"OK"}

After

[5] pry(main)> ApiKey.all
  ApiKey Load (0.3ms)  SELECT "api_keys".* FROM "api_keys"
=> [#<ApiKey:0x000000064318d0
  id: 3,
  key: "scoobydoowhereareyou",
  user_id: -1,
  created_by_id: -1,
  created_at: Mon, 15 Jan 2018 16:20:10 UTC +00:00,
  updated_at: Mon, 15 Jan 2018 16:20:31 UTC +00:00,
  allowed_ips: nil,
  hidden: false>]