From 846e581732e291f8927d04a5b1b40fe8f2688885 Mon Sep 17 00:00:00 2001
From: "http://jneen.net/" <jneen@jneen.net>
Date: Tue, 28 Feb 2017 13:08:07 -0800
Subject: use a magic default :global symbol instead of nil

to make sure we mean the global permissions
---
 lib/api/helpers.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'lib/api/helpers.rb')

diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index a9b364da9e1..e5f5de2af57 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -116,7 +116,7 @@ module API
       forbidden! unless current_user.is_admin?
     end
 
-    def authorize!(action, subject = nil)
+    def authorize!(action, subject = :global)
       forbidden! unless can?(current_user, action, subject)
     end
 
@@ -134,7 +134,7 @@ module API
       end
     end
 
-    def can?(object, action, subject)
+    def can?(object, action, subject = :global)
       Ability.allowed?(object, action, subject)
     end
 
-- 
cgit v1.2.1


From 0ea04cc5bfcc125875a6e0f46702389f0e2e19c0 Mon Sep 17 00:00:00 2001
From: "http://jneen.net/" <jneen@jneen.net>
Date: Tue, 28 Feb 2017 13:19:52 -0800
Subject: use the policy stack to protect logins

---
 lib/api/helpers.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lib/api/helpers.rb')

diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index e5f5de2af57..bd22b82476b 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -97,7 +97,7 @@ module API
     end
 
     def authenticate!
-      unauthorized! unless current_user
+      unauthorized! unless current_user && can?(current_user, :access_api)
     end
 
     def authenticate_non_get!
-- 
cgit v1.2.1