X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/105c22f44dad79968b59f577a40737ffc8da00ec..a8d73de4f59cf567a96f2f04be01a249d4f7c20b:/services/api/app/controllers/application_controller.rb

diff --git a/services/api/app/controllers/application_controller.rb b/services/api/app/controllers/application_controller.rb
index 9826cf2f90..ba7c07d272 100644
--- a/services/api/app/controllers/application_controller.rb
+++ b/services/api/app/controllers/application_controller.rb
@@ -3,6 +3,7 @@
 # SPDX-License-Identifier: AGPL-3.0
 
 require 'safe_json'
+require 'request_error'
 
 module ApiTemplateOverride
   def allowed_to_render?(fieldset, field, model, options)
@@ -137,7 +138,7 @@ class ApplicationController < ActionController::Base
 
   def render_error(e)
     logger.error e.inspect
-    if e.respond_to? :backtrace and e.backtrace
+    if !e.is_a? RequestError and (e.respond_to? :backtrace and e.backtrace)
       logger.error e.backtrace.collect { |x| x + "\n" }.join('')
     end
     if (@object.respond_to? :errors and
@@ -345,7 +346,7 @@ class ApplicationController < ActionController::Base
         .all
     end
     @read_auths.select! { |auth| auth.scopes_allow_request? request }
-    @read_users = @read_auths.map { |auth| auth.user }.uniq
+    @read_users = @read_auths.map(&:user).uniq
   end
 
   def require_login
@@ -365,7 +366,7 @@ class ApplicationController < ActionController::Base
   end
 
   def require_auth_scope
-    if @read_auths.empty?
+    unless current_user && @read_auths.any? { |auth| auth.user.andand.uuid == current_user.uuid }
       if require_login != false
         send_error("Forbidden", status: 403)
       end
@@ -402,7 +403,7 @@ class ApplicationController < ActionController::Base
   def set_cors_headers
     response.headers['Access-Control-Allow-Origin'] = '*'
     response.headers['Access-Control-Allow-Methods'] = 'GET, HEAD, PUT, POST, DELETE'
-    response.headers['Access-Control-Allow-Headers'] = 'Authorization'
+    response.headers['Access-Control-Allow-Headers'] = 'Authorization, Content-Type'
     response.headers['Access-Control-Max-Age'] = '86486400'
   end
 
@@ -554,6 +555,10 @@ class ApplicationController < ActionController::Base
     }
   end
 
+  def self._update_requires_parameters
+    {}
+  end
+
   def self._index_requires_parameters
     {
       filters: { type: 'array', required: false },