8d207e7de0
They aren't designed to be used as request endpoints, so there's no need for them to be public.
32 lines
983 B
Ruby
32 lines
983 B
Ruby
class ApiController < ApplicationController
|
|
skip_before_action :verify_authenticity_token
|
|
|
|
private
|
|
|
|
def authorize(realm = "Web Password", errormessage = "Couldn't authenticate you")
|
|
# make the current_user object from any auth sources we have
|
|
setup_user_auth
|
|
|
|
# handle authenticate pass/fail
|
|
unless current_user
|
|
# no auth, the user does not exist or the password was wrong
|
|
response.headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\""
|
|
render :plain => errormessage, :status => :unauthorized
|
|
return false
|
|
end
|
|
end
|
|
|
|
def deny_access(_exception)
|
|
if current_token
|
|
set_locale
|
|
report_error t("oauth.permissions.missing"), :forbidden
|
|
elsif current_user
|
|
head :forbidden
|
|
else
|
|
realm = "Web Password"
|
|
errormessage = "Couldn't authenticate you"
|
|
response.headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\""
|
|
render :plain => errormessage, :status => :unauthorized
|
|
end
|
|
end
|
|
end
|