From: Tom Hughes <tom@compton.nu>
Date: Wed, 22 Nov 2023 12:30:39 +0000 (+0000)
Subject: Prevent API tokens without write_notes creating attributed comments
X-Git-Tag: live~771
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/f08fb4f30f83288a5d485d422b94c4301c2a86b5?hp=5da286bb4597cb5c5c29cd82b6e408454f752348

Prevent API tokens without write_notes creating attributed comments

Fixes #4362
---

diff --git a/app/controllers/api/notes_controller.rb b/app/controllers/api/notes_controller.rb
index 95466781f..e28c0a622 100644
--- a/app/controllers/api/notes_controller.rb
+++ b/app/controllers/api/notes_controller.rb
@@ -389,8 +389,14 @@ module Api
     def add_comment(note, text, event, notify: true)
       attributes = { :visible => true, :event => event, :body => text }
 
-      if current_user
-        attributes[:author_id] = current_user.id
+      if doorkeeper_token || current_token
+        author = current_user if scope_enabled?(:write_notes)
+      else
+        author = current_user
+      end
+
+      if author
+        attributes[:author_id] = author.id
       else
         attributes[:author_ip] = request.remote_ip
       end