From: Andy Allan <git@gravitystorm.co.uk>
Date: Wed, 12 Dec 2018 12:58:38 +0000 (+0100)
Subject: Use only token capabilities when a token is provided
X-Git-Tag: live~3855^2
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/981e4a34b5d5ea1c1e3da1518697e2cf5e6ab0b3?ds=inline;hp=981e4a34b5d5ea1c1e3da1518697e2cf5e6ab0b3

Use only token capabilities when a token is provided

The Authenticate#allow? method (from oauth-plugin) sets current_user as a side
effect of checking the token. But this allows a valid token to access
all actions that are available to that user, beyond the capabilities for
that token.
---