Make sure private_token for API is a string

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

Make sure private_token for API is a string
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
9d79d6e1 · Dmitriy Zaporozhets · dfade97e · 9d79d6e1
Commit 9d79d6e1 authored Nov 08, 2013 by Dmitriy Zaporozhets
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 1 deletion

lib/api/helpers.rb lib/api/helpers.rb +6 -1

No files found.
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -6,19 +6,23 @@ module API
    SUDO_PARAM = :sudo

    def current_user
-      @current_user ||= User.find_by_authentication_token(params[PRIVATE_TOKEN_PARAM] || env[PRIVATE_TOKEN_HEADER])
+      private_token = (params[PRIVATE_TOKEN_PARAM] || env[PRIVATE_TOKEN_HEADER]).to_s
+      @current_user ||= User.find_by_authentication_token(private_token)
      identifier = sudo_identifier()
+
      # If the sudo is the current user do nothing
      if (identifier && !(@current_user.id == identifier || @current_user.username == identifier))
        render_api_error!('403 Forbidden: Must be admin to use sudo', 403) unless @current_user.is_admin?
        @current_user = User.by_username_or_id(identifier)
        not_found!("No user id or username for: #{identifier}") if @current_user.nil?
      end
+
      @current_user
    end

    def sudo_identifier()
      identifier ||= params[SUDO_PARAM] ||= env[SUDO_HEADER]
+
      # Regex for integers
      if (!!(identifier =~ /^[0-9]+$/))
        identifier.to_i
@@ -29,6 +33,7 @@ module API

    def set_current_user_for_thread
      Thread.current[:current_user] = current_user
+
      begin
        yield
      ensure