fix(admin): be more permissive on search API key validation

Closes: #701
algolia · Jan 5, 2018 · 3c12df2 · 3c12df2
1 parent 40404f3
commit 3c12df2
Showing 1 changed file with 17 additions and 2 deletions.
diff --git a/includes/class-algolia-api.php b/includes/class-algolia-api.php
@@ -139,10 +139,25 @@ public static function is_valid_search_api_key( $application_id, $search_api_key
 		$client = new Client( (string) $application_id, (string) $search_api_key );
 		try {
 			// If this call does not succeed, then the application_ID or API_key is/are wrong.
-			$acl = $client->getUserKeyACL( $search_api_key );
+			$acl = $client->getApiKey( $search_api_key );
 
 			// We expect a search only key for security reasons. Will be used in front.
-			if ( array( 'search' ) !== $acl['acl'] ) {
+			$scopes = array_flip( $acl['acl'] );
+			if ( ! isset( $scopes['search'] ) ) {
+				return false;
+			}
+			unset( $scopes['search'] );
+
+			if ( isset( $scopes['settings'] ) ) {
+				unset( $scopes['settings'] );
+			}
+
+			if ( isset( $scopes['listIndexes'] ) ) {
+				unset( $scopes['listIndexes'] );
+			}
+
+			if ( ! empty( $scopes ) ) {
+				// The API key has more permissions than allowed.
 				return false;
 			}