Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Restrict creation through API

  • Loading branch information...
commit d8edfcf93b85b97f060bdf607e1ec9cc6d9ced32 1 parent 9ab801b
@mattyoho mattyoho authored
View
16 app/controllers/api/feed_items_controller.rb
@@ -1,6 +1,8 @@
module Api
class FeedItemsController < ApiController
+ before_filter :verify_feed_ownership, except: :index
+
def index
feed = Feed.find_by_name!(params[:feed_id])
@feed_items = feed.feed_items.last_first(params[:page])
@@ -19,9 +21,8 @@ def index
end
def create
- feed = Feed.find_by_name!(params[:feed_id])
kind = params[:item].delete(:type)
- @feed_item = feed.feed_item_of(kind).new(params[:item])
+ @feed_item = current_user.feed.feed_item_of(kind).new(params[:item])
respond_to do |format|
if @feed_item.save
@@ -33,9 +34,8 @@ def create
end
def update
- feed = Feed.find_by_name!(params[:feed_id])
kind = params[:item].delete(:type)
- @feed_item = feed.feed_item_of(kind).new(params[:item])
+ @feed_item = current_user.feed.feed_item_of(kind).new(params[:item])
respond_to do |format|
if @feed_item.save
@@ -46,6 +46,14 @@ def update
end
end
+ private
+
+ def verify_feed_ownership
+ unless current_user.feed.display_name == params[:feed_id]
+ head status: :unauthorized
+ end
+ end
+
end
end
View
9 app/controllers/api_controller.rb
@@ -1,6 +1,8 @@
class ApiController < ActionController::Base
before_filter :authenticate
+ attr_accessor :current_user
+
private
def authenticate
@@ -16,11 +18,4 @@ def construct_link_header(next_url, last_url)
"<#{next_url}>; rel=\"next\", <#{last_url}>; rel=\"last\""
end
- def current_user
- @current_user
- end
-
- def current_user=(user)
- @current_user = user
- end
end

0 comments on commit d8edfcf

Please sign in to comment.
Something went wrong with that request. Please try again.