Use only token capabilities when a token is provided
authorAndy Allan <git@gravitystorm.co.uk>
Wed, 12 Dec 2018 12:58:38 +0000 (13:58 +0100)
committerAndy Allan <git@gravitystorm.co.uk>
Wed, 12 Dec 2018 15:16:23 +0000 (16:16 +0100)
commit981e4a34b5d5ea1c1e3da1518697e2cf5e6ab0b3
treeb50391f50df46e770fd001338f36c4742432f11e
parenta3a10237f7cbd4586086133a926dc4dd9fd5b7bf
Use only token capabilities when a token is provided

The Authenticate#allow? method (from oauth-plugin) sets current_user as a side
effect of checking the token. But this allows a valid token to access
all actions that are available to that user, beyond the capabilities for
that token.
app/controllers/application_controller.rb
test/controllers/user_preferences_controller_test.rb