From b80be9832526ee956b3a73a634896c6cd8d2914e Mon Sep 17 00:00:00 2001
From: Azul <azul@leap.se>
Date: Mon, 14 Jul 2014 12:18:18 +0200
Subject: ApiController with API style auth

require_login is require_token for the api controller

It also skips the verify_authenticity_token before filter.
So all Subclasses of the ApiController will only support token auth.

Also made the V1::UsersController a bit more strict. Now way for admins to alter other users through the api. We don't support that yet so let's not allow it either.
---
 app/controllers/v1/users_controller.rb | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

(limited to 'app/controllers/v1/users_controller.rb')

diff --git a/app/controllers/v1/users_controller.rb b/app/controllers/v1/users_controller.rb
index abaefd8..5c9e33f 100644
--- a/app/controllers/v1/users_controller.rb
+++ b/app/controllers/v1/users_controller.rb
@@ -1,10 +1,9 @@
 module V1
-  class UsersController < UsersBaseController
+  class UsersController < ApiController
 
-    skip_before_filter :verify_authenticity_token
     before_filter :fetch_user, :only => [:update]
     before_filter :require_admin, :only => [:index]
-    before_filter :require_token, :only => [:update]
+    before_filter :require_login, :only => [:index, :update]
     before_filter :require_registration_allowed, only: :create
 
     respond_to :json
@@ -29,11 +28,20 @@ module V1
       respond_with @user
     end
 
+    protected
+
     def require_registration_allowed
       unless APP_CONFIG[:allow_registration]
         head :forbidden
       end
     end
 
+    def fetch_user
+      @user = User.find(params[:id])
+      if @user != current_user
+        access_denied
+      end
+    end
+
   end
 end
-- 
cgit v1.2.3