[ARVADOS] updated: 1.1.0-167-gb3d2924

Git user git at public.curoverse.com
Fri Nov 24 01:15:59 EST 2017 

Summary of changes:
 services/api/app/controllers/application_controller.rb | 2 +-
 services/api/app/middlewares/arvados_api_token.rb      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

       via  b3d29244e674566e785777a32efeb0a7b98ab087 (commit)
      from  742cbf87567db0d60fccadd382be600aaf7a2787 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit b3d29244e674566e785777a32efeb0a7b98ab087
Author: Tom Clegg <tclegg at veritasgenetics.com>
Date:   Fri Nov 24 01:10:56 2017 -0500

    12627: Any token can permit scope, if acting as the right user.
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg at veritasgenetics.com>

diff --git a/services/api/app/controllers/application_controller.rb b/services/api/app/controllers/application_controller.rb
index ba0efa7..6bdba7a 100644
--- a/services/api/app/controllers/application_controller.rb
+++ b/services/api/app/controllers/application_controller.rb
@@ -365,7 +365,7 @@ class ApplicationController < ActionController::Base
   end
 
   def require_auth_scope
-    if @read_auths.empty? || @read_auths[0] != current_api_client_authorization
+    unless current_user && @read_auths.any? { |auth| auth.user.andand.uuid == current_user.uuid }
       if require_login != false
         send_error("Forbidden", status: 403)
       end
diff --git a/services/api/app/middlewares/arvados_api_token.rb b/services/api/app/middlewares/arvados_api_token.rb
index 555e661..950fdbb 100644
--- a/services/api/app/middlewares/arvados_api_token.rb
+++ b/services/api/app/middlewares/arvados_api_token.rb
@@ -32,7 +32,7 @@ class ArvadosApiToken
     user = nil
     api_client = nil
     api_client_auth = nil
-    if request.get?
+    if request.get? || params["_method"] == 'GET'
       reader_tokens = params["reader_tokens"]
       if reader_tokens.is_a? String
         reader_tokens = SafeJSON.load(reader_tokens)

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list