Allow authenticated users to access api without key

Fixes solidusio#2817
nebulab · Apr 8, 2013 · 30ae1ff · 30ae1ff
1 parent aca50ff
commit 30ae1ff
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 7 deletions.
diff --git a/api/app/controllers/spree/api/base_controller.rb b/api/app/controllers/spree/api/base_controller.rb
@@ -63,13 +63,15 @@ def check_for_user_or_api_key
  end
 
  def authenticate_user
- if requires_authentication? || api_key.present?
- unless @current_api_user = Spree.user_class.find_by_spree_api_key(api_key.to_s)
- render "spree/api/errors/invalid_api_key", :status => 401 and return
+ unless @current_api_user
+ if requires_authentication? || api_key.present?
+ unless @current_api_user = Spree.user_class.find_by_spree_api_key(api_key.to_s)
+ render "spree/api/errors/invalid_api_key", :status => 401 and return
+ end
+ else
+ # An anonymous user
+ @current_api_user = Spree.user_class.new
  end
- else
- # An authenticated user or an anonymous user
- @current_api_user = try_spree_current_user || Spree.user_class.new
  end
  end
 

diff --git a/api/spec/controllers/spree/api/base_controller_spec.rb b/api/spec/controllers/spree/api/base_controller_spec.rb
@@ -11,7 +11,7 @@ def index
  context "signed in as a user using an authentication extension" do
  before do
  controller.stub :try_spree_current_user => stub(:email => "[email protected]")
- Spree::Api::Config[:requires_authentication] = false
+ Spree::Api::Config[:requires_authentication] = true
  end
 
  it "can make a request" do