ApiController with API style auth

require_login is require_token for the api controller

It also skips the verify_authenticity_token before filter.
So all Subclasses of the ApiController will only support token auth.

Also made the V1::UsersController a bit more strict. Now way for admins to alter other users through the api. We don't support that yet so let's not allow it either.

1 files changed, 11 insertions, 3 deletions

diff --git a/app/controllers/v1/users_controller.rb b/app/controllers/v1/users_controller.rb
index abaefd8..5c9e33f 100644
--- a/app/controllers/v1/users_controller.rb
+++ b/app/controllers/v1/users_controller.rb
@@ -1,10 +1,9 @@
 module V1
-  class UsersController < UsersBaseController
+  class UsersController < ApiController
 
-    skip_before_filter :verify_authenticity_token
     before_filter :fetch_user, :only => [:update]
     before_filter :require_admin, :only => [:index]
-    before_filter :require_token, :only => [:update]
+    before_filter :require_login, :only => [:index, :update]
     before_filter :require_registration_allowed, only: :create
 
     respond_to :json
@@ -29,11 +28,20 @@ module V1
       respond_with @user
     end
 
+    protected
+
     def require_registration_allowed
       unless APP_CONFIG[:allow_registration]
         head :forbidden
       end
     end
 
+    def fetch_user
+      @user = User.find(params[:id])
+      if @user != current_user
+        access_denied
+      end
+    end
+
   end
 end