From: Anton Khorev <tony29@yandex.ru>
Date: Sat, 15 Feb 2025 00:34:53 +0000 (+0300)
Subject: Check user instead of scope when getting note author info
X-Git-Tag: live~200^2
X-Git-Url: https://git.openstreetmap.org./rails.git/commitdiff_plain/037bafcd1ca8494f25ded9fbad422c41f349889c?ds=inline;hp=--cc

Check user instead of scope when getting note author info

Previously it was possible to create a note while authorized but having no write_notes scope. Currently it's not possible.
---

037bafcd1ca8494f25ded9fbad422c41f349889c
diff --git a/app/controllers/api/notes_controller.rb b/app/controllers/api/notes_controller.rb
index bc4d2eaf2..a0095d954 100644
--- a/app/controllers/api/notes_controller.rb
+++ b/app/controllers/api/notes_controller.rb
@@ -387,7 +387,7 @@ module Api
     ##
     # Get author's information (for logged in users - user_id, for logged out users - IP address)
     def author_info
-      if scope_enabled?(:write_notes)
+      if current_user
         { :user_id => current_user.id }
       else
         { :user_ip => request.remote_ip }