Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Spree Upgrade] Authenticate API user through logged in user #3009

Conversation

HugsDaniel
Copy link
Contributor

@HugsDaniel HugsDaniel commented Nov 9, 2018

What? Why?

Related to #3000

Use inheritance to set the current_api_user to spree_current_user when a call to the API is made.

What should we test?

When calling the API while logged in in the app, the current_api_user should be the logged in user.

Release notes

The API user is now the app's logged in user, if any user is logged in. This prevents action with authorize! checks to fail, but parts of the API with no such check remain open for non authenticated users.

Changelog Category: Added

How is this related to the Spree upgrade?

This comes from the fact that this line now doesn't have the try_spree_current_user setting, which means that if no API key is provided, the API user will be set to Spree.user_class.new, making any authorize! check fail.

@HugsDaniel HugsDaniel self-assigned this Nov 9, 2018
Copy link
Contributor

@luisramos0 luisramos0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

# Authenticate API user
authenticate_user_without_spree_current_user
end
alias_method_chain :authenticate_user, :spree_current_user
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Although this solves the problem, IMO there's no benefit on using alias_method_chain here. There are two things that lead me to think we should implement this differently:

If I'm not mistaken we can leverage the inheritance we're already using here. What about?

Suggested change
alias_method_chain :authenticate_user, :spree_current_user
def authenticate_user
@current_api_user = try_spree_current_user
super
end

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah, yes, we are extending not class_evaling.... this was a SUPER suggestion @sauloperez :-)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@HugsDaniel HugsDaniel force-pushed the authenticate-api-use-through-logged-in-user branch from 259ea35 to bc7674e Compare November 14, 2018 10:57
@HugsDaniel HugsDaniel force-pushed the authenticate-api-use-through-logged-in-user branch from bc7674e to 3dd981c Compare November 14, 2018 10:58
@luisramos0 luisramos0 merged commit c19e954 into openfoodfoundation:2-0-stable Nov 14, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants