Prevent API tokens without write_notes creating attributed comments

author Tom Hughes <tom@compton.nu>

Wed, 22 Nov 2023 12:30:39 +0000 (12:30 +0000)

committer Tom Hughes <tom@compton.nu>

Wed, 22 Nov 2023 12:30:39 +0000 (12:30 +0000)
author Tom Hughes <tom@compton.nu>
Wed, 22 Nov 2023 12:30:39 +0000 (12:30 +0000)
committer Tom Hughes <tom@compton.nu>
Wed, 22 Nov 2023 12:30:39 +0000 (12:30 +0000)
diff --git a/app/controllers/api/notes_controller.rb b/app/controllers/api/notes_controller.rb

index 95466781f84c8bd97a8fef6c6bea1332d26f6388..e28c0a622802f7d1419e200928e0a5893374d550 100644 (file)
--- a/app/controllers/api/notes_controller.rb
+++ b/app/controllers/api/notes_controller.rb
@@ -389,8 +389,14 @@ module Api
      def add_comment(note, text, event, notify: true)
        attributes = { :visible => true, :event => event, :body => text }
  
-      if current_user
-        attributes[:author_id] = current_user.id
+      if doorkeeper_token || current_token
+        author = current_user if scope_enabled?(:write_notes)
+      else
+        author = current_user
+      end
+
+      if author
+        attributes[:author_id] = author.id
        else
          attributes[:author_ip] = request.remote_ip
        end
author	Tom Hughes <tom@compton.nu>
	Wed, 22 Nov 2023 12:30:39 +0000 (12:30 +0000)
committer	Tom Hughes <tom@compton.nu>
	Wed, 22 Nov 2023 12:30:39 +0000 (12:30 +0000)