support URL param to token, but still restrict to APIs

diff --git a/modules/auth/auth.go b/modules/auth/auth.go
index 9b624594799b028a7bf10236caf06b4cf972d580..ecae5b06b0e9ad2a2cee0b9f2edd7e1241f96dde 100644 (file)
--- a/modules/auth/auth.go
+++ b/modules/auth/auth.go
@@ -32,32 +32,34 @@ func SignedInID(ctx *macaron.Context, sess session.Store) int64 {
        }
 
        // Check access token.
-       tokenSHA := ctx.Query("token")
-       if len(tokenSHA) == 0 {
-               // Well, check with header again.
-               auHead := ctx.Req.Header.Get("Authorization")
-               if len(auHead) > 0 {
-                       auths := strings.Fields(auHead)
-                       if len(auths) == 2 && auths[0] == "token" {
-                               tokenSHA = auths[1]
+       if IsAPIPath(ctx.Req.URL.Path) {
+               tokenSHA := ctx.Query("token")
+               if len(tokenSHA) == 0 {
+                       // Well, check with header again.
+                       auHead := ctx.Req.Header.Get("Authorization")
+                       if len(auHead) > 0 {
+                               auths := strings.Fields(auHead)
+                               if len(auths) == 2 && auths[0] == "token" {
+                                       tokenSHA = auths[1]
+                               }
                        }
                }
-       }
 
-       // Let's see if token is valid.
-       if len(tokenSHA) > 0 {
-               t, err := models.GetAccessTokenBySHA(tokenSHA)
-               if err != nil {
-                       if models.IsErrAccessTokenNotExist(err) {
-                               log.Error(4, "GetAccessTokenBySHA: %v", err)
+               // Let's see if token is valid.
+               if len(tokenSHA) > 0 {
+                       t, err := models.GetAccessTokenBySHA(tokenSHA)
+                       if err != nil {
+                               if models.IsErrAccessTokenNotExist(err) {
+                                       log.Error(4, "GetAccessTokenBySHA: %v", err)
+                               }
+                               return 0
                        }
-                       return 0
-               }
-               t.Updated = time.Now()
-               if err = models.UpdateAccessToekn(t); err != nil {
-                       log.Error(4, "UpdateAccessToekn: %v", err)
+                       t.Updated = time.Now()
+                       if err = models.UpdateAccessToekn(t); err != nil {
+                               log.Error(4, "UpdateAccessToekn: %v", err)
+                       }
+                       return t.UID
                }
-               return t.UID
        }
 
        uid := sess.Get("uid")