before_action :check_api_readable
+ around_action :api_call_handle_error, :api_call_timeout
+
private
##
end
end
- def authorize(errormessage = "Couldn't authenticate you")
+ def authorize(errormessage: "Couldn't authenticate you", skip_terms: false)
# make the current_user object from any auth sources we have
- setup_user_auth
+ setup_user_auth(:skip_terms => skip_terms)
# handle authenticate pass/fail
unless current_user
def current_ability
# Use capabilities from the oauth token if it exists and is a valid access token
if doorkeeper_token&.accessible?
- ApiAbility.new(nil).merge(ApiCapability.new(doorkeeper_token))
+ ApiAbility.new(doorkeeper_token)
else
- ApiAbility.new(current_user)
+ ApiAbility.new(nil)
end
end
# sets up the current_user for use by other methods. this is mostly called
# from the authorize method, but can be called elsewhere if authorisation
# is optional.
- def setup_user_auth
+ def setup_user_auth(skip_terms: false)
logger.info " setup_user_auth"
# try and setup using OAuth
self.current_user = User.find(doorkeeper_token.resource_owner_id) if doorkeeper_token&.accessible?
# if the user hasn't seen the contributor terms then don't
# allow editing - they have to go to the web site and see
# (but can decline) the CTs to continue.
- if !current_user.terms_seen && flash[:skip_terms].nil?
+ if !current_user.terms_seen && !skip_terms
set_locale
report_error t("application.setup_user_auth.need_to_see_terms"), :forbidden
end
report_error message, :bad_request
rescue OSM::APIError => e
report_error e.message, e.status
- rescue AbstractController::ActionNotFound => e
+ rescue AbstractController::ActionNotFound, CanCan::AccessDenied => e
raise
rescue StandardError => e
logger.info("API threw unexpected #{e.class} exception: #{e.message}")
raise OSM::APIRateLimitExceeded if new_changes > max_changes
end
+
+ def scope_enabled?(scope)
+ doorkeeper_token&.includes_scope?(scope)
+ end
+
+ helper_method :scope_enabled?
end
projects / rails.git / blobdiff