Check user instead of scope when getting note author info

Previously it was possible to create a note while authorized but having no write_notes scope. Currently it's not possible.

diff --git a/app/controllers/api/notes_controller.rb b/app/controllers/api/notes_controller.rb
index bc4d2eaf2ceaa47076e57e4182fdcca583d65809..a0095d954b5d6f48dd891560d11c7f755523c964 100644 (file)
--- a/app/controllers/api/notes_controller.rb
+++ b/app/controllers/api/notes_controller.rb
@@ -387,7 +387,7 @@ module Api
     ##
     # Get author's information (for logged in users - user_id, for logged out users - IP address)
     def author_info
-      if scope_enabled?(:write_notes)
+      if current_user
         { :user_id => current_user.id }
       else
         { :user_ip => request.remote_ip }