They aren't designed to be used as request endpoints, so there's no
need for them to be public.
class ApiController < ApplicationController
skip_before_action :verify_authenticity_token
class ApiController < ApplicationController
skip_before_action :verify_authenticity_token
def authorize(realm = "Web Password", errormessage = "Couldn't authenticate you")
# make the current_user object from any auth sources we have
setup_user_auth
def authorize(realm = "Web Password", errormessage = "Couldn't authenticate you")
# make the current_user object from any auth sources we have
setup_user_auth
attr_accessor :current_user
helper_method :current_user
attr_accessor :current_user
helper_method :current_user
def authorize_web
if session[:user]
self.current_user = User.where(:id => session[:user]).where("status IN ('active', 'confirmed', 'suspended')").first
def authorize_web
if session[:user]
self.current_user = User.where(:id => session[:user]).where("status IN ('active', 'confirmed', 'suspended')").first
# extract authorisation credentials from headers, returns user = nil if none
def get_auth_data
if request.env.key? "X-HTTP_AUTHORIZATION" # where mod_rewrite might have put it
# extract authorisation credentials from headers, returns user = nil if none
def get_auth_data
if request.env.key? "X-HTTP_AUTHORIZATION" # where mod_rewrite might have put it