Skip to content
Permalink
Browse files Browse the repository at this point in the history
SECURITY FIX: Do not allow access to REST API without valid token in …
  • Loading branch information
schof committed Oct 23, 2010
1 parent 87c7d41 commit 19944bd
Showing 1 changed file with 2 additions and 3 deletions.
5 changes: 2 additions & 3 deletions vendor/extensions/api/app/controllers/api/base_controller.rb
Expand Up @@ -25,9 +25,8 @@ def self.resource_controller_for_api

define_method :admin_token_passed_in_headers do
token = request.headers['X-SpreeAPIKey']
return false unless token
@current_user = User.find_by_api_key(token)
@current_user.has_role? 'admin'
return access_denied unless token
return access_denied unless @current_user = User.find_by_api_key(token)
end

define_method :end_of_association_chain do
Expand Down

0 comments on commit 19944bd

Please sign in to comment.