11453: Accept salted tokens at /users/current and /groups.

[arvados.git] / services / api / app / controllers / application_controller.rb

diff --git a/services/api/app/controllers/application_controller.rb b/services/api/app/controllers/application_controller.rb
index d09283d928617b15f6ea2b820a6d4eb3b06e734a..b3718e102145736d6f818f965f6ce8d546ba9be8 100644 (file)
--- a/services/api/app/controllers/application_controller.rb
+++ b/services/api/app/controllers/application_controller.rb
@@ -344,7 +344,19 @@ class ApplicationController < ActionController::Base
         .all
     end
     @read_auths.select! { |auth| auth.scopes_allow_request? request }
-    @read_users = @read_auths.map { |auth| auth.user }.uniq
+
+    # Use a salted token as a reader token for /groups/ and /users/current
+    if params[:remote_id] && (
+         request.path.start_with?('/arvados/v1/groups') ||
+         request.path.start_with?('/arvados/v1/users/current'))
+      auth = ApiClientAuthorization.validate(remote_id: params[:remote_id])
+      if auth && auth.user
+        Thread.current[:user] = auth.user
+        @read_auths << auth
+      end
+    end
+
+    @read_users = @read_auths.map(&:user).uniq
   end
 
   def require_login