Merge remote-tracking branch 'upstream/pull/5014'

[rails.git] / app / controllers / api_controller.rb

diff --git a/app/controllers/api_controller.rb b/app/controllers/api_controller.rb
index edafac7ccdc44f3f75f07e0f3a082909a793bfea..ae1bc87554e0e0b1da81debd07cf7296df80d2d1 100644 (file)
--- a/app/controllers/api_controller.rb
+++ b/app/controllers/api_controller.rb
@@ -1,6 +1,8 @@
 class ApiController < ApplicationController
   skip_before_action :verify_authenticity_token
 
+  before_action :check_api_readable
+
   private
 
   ##
@@ -110,6 +112,7 @@ class ApiController < ApplicationController
         # self.current_user setup by OAuth
       else
         report_error t("application.oauth_10a_disabled", :link => t("application.auth_disabled_link")), :forbidden
+        self.current_user = nil
       end
     else
       username, passwd = auth_data # parse from headers