Don't allow access to the API Tokens resource if using an API token.
Review Request #6257 — Created Aug. 23, 2014 and submitted — Latest diff uploaded
This change blocks off access to the user's API Tokens resource if the
user is logging in through an API token. They instead have to log in
using their main username and password.This prevents a vulnerability where a client using a restricted API
token that still had read access to the API Tokens resource would be
able to look up a more permissive token and use that.There's a new 'api_token_access_allowed' flag on resources that can be
turned off to prevent token-based access.Some work had to be done to the basic tests mixins to only perform the
API tokens test if the unit tests don't turn it off.
Unit tests pass.
I tested manually using curl with and without API tokens. I wasn't able
to access the API Tokens resource with any token.