From d948071e49a6b3aef16cd7a43ec1b2fbe418ce70 Mon Sep 17 00:00:00 2001 From: benji Date: Wed, 9 Sep 2015 14:08:40 +0200 Subject: [PATCH] Put authentication on api --- app/controllers/application_controller.rb | 9 ++++++--- app/controllers/transactions_controller.rb | 5 +++++ 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index dd697e4..deb151c 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -1,12 +1,16 @@ class ApplicationController < ActionController::Base # Prevent CSRF attacks by raising an exception. # For APIs, you may want to use :null_session instead. - protect_from_forgery with: :null_session + protect_from_forgery with: :exception rescue_from CanCan::AccessDenied do |exception| redirect_to root_url, alert: exception.message end + def authenticate_user_or_client! + current_user || current_client || raise(Exception.new) + end + def current_client @current_client ||= identify_client end @@ -15,7 +19,7 @@ class ApplicationController < ActionController::Base if current_user @current_ability ||= Ability.new(current_user) elsif current_client - @current_ability ||= ClientAbility.new(current_account) + @current_ability ||= ClientAbility.new(current_client) end end @@ -25,5 +29,4 @@ class ApplicationController < ActionController::Base key = request.headers["X-API-KEY"] Client.find_by key: key if key end - end diff --git a/app/controllers/transactions_controller.rb b/app/controllers/transactions_controller.rb index 72128f6..7a53d30 100644 --- a/app/controllers/transactions_controller.rb +++ b/app/controllers/transactions_controller.rb @@ -1,4 +1,9 @@ class TransactionsController < ApplicationController + skip_before_filter :verify_authenticity_token, only: :create + + before_action :authenticate_user!, except: :create + before_action :authenticate_user_or_client!, only: :create + def index @transactions = Transaction.all end