mirror of
https://github.com/BookStackApp/BookStack.git
synced 2024-10-01 05:36:00 +00:00
Updated API auth to allow public user if given permission
This commit is contained in:
parent
9666c8c0f7
commit
24bad5034a
@ -35,9 +35,9 @@ class ApiAuthenticate
|
||||
{
|
||||
// Return if the user is already found to be signed in via session-based auth.
|
||||
// This is to make it easy to browser the API via browser after just logging into the system.
|
||||
if (signedInUser()) {
|
||||
if (signedInUser() || session()->isStarted()) {
|
||||
$this->ensureEmailConfirmedIfRequested();
|
||||
if (!auth()->user()->can('access-api')) {
|
||||
if (!user()->can('access-api')) {
|
||||
throw new ApiAuthException(trans('errors.api_user_no_api_permission'), 403);
|
||||
}
|
||||
return;
|
||||
|
@ -1,5 +1,6 @@
|
||||
<?php namespace Tests\Api;
|
||||
|
||||
use BookStack\Auth\User;
|
||||
use Tests\TestCase;
|
||||
|
||||
class ApiDocsTest extends TestCase
|
||||
@ -39,4 +40,19 @@ class ApiDocsTest extends TestCase
|
||||
] ]
|
||||
]);
|
||||
}
|
||||
|
||||
public function test_docs_page_visible_by_public_user_if_given_permission()
|
||||
{
|
||||
$this->setSettings(['app-public' => true]);
|
||||
$guest = User::getDefault();
|
||||
|
||||
$this->startSession();
|
||||
$resp = $this->get('/api/docs');
|
||||
$resp->assertStatus(403);
|
||||
|
||||
$this->giveUserPermissions($guest, ['access-api']);
|
||||
|
||||
$resp = $this->get('/api/docs');
|
||||
$resp->assertStatus(200);
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user