]> git.openstreetmap.org Git - rails.git/commitdiff
projects / rails.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (from: 981e4a3)
Use only token capabilities when a token is provided
authorAndy Allan <git@gravitystorm.co.uk>
Wed, 12 Dec 2018 12:58:38 +0000 (13:58 +0100)
committerAndy Allan <git@gravitystorm.co.uk>
Wed, 12 Dec 2018 15:16:23 +0000 (16:16 +0100)
The Authenticate#allow? method (from oauth-plugin) sets current_user as a side
effect of checking the token. But this allows a valid token to access
all actions that are available to that user, beyond the capabilities for
that token.


No differences found
The OpenStreetMap web site