From 64516b3a374d5ef0c027d64cbcbebd480a3f90b4 Mon Sep 17 00:00:00 2001
From: r888888888 <r888888888@gmail.com>
Date: Thu, 18 Jun 2015 17:03:33 -0700
Subject: [PATCH] fixes #2389

---
 app/controllers/application_controller.rb | 13 +++++++++++++
 app/logical/session_loader.rb             | 10 ++++++++++
 2 files changed, 23 insertions(+)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 4104efe77..3ca3a0644 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -14,6 +14,7 @@ class ApplicationController < ActionController::Base
 
   rescue_from Exception, :with => :rescue_exception
   rescue_from User::PrivilegeError, :with => :access_denied
+  rescue_from SessionLoader::AuthenticationFailure, :with => :authentication_failed
   rescue_from Danbooru::Paginator::PaginationError, :with => :render_pagination_limit
 
 protected
@@ -47,6 +48,18 @@ protected
     render :template => "static/error", :status => 410
   end
 
+  def authentication_failed
+    respond_to do |fmt|
+      fmt.html do
+        render :text => "authentication failed", :status => 401
+      end
+
+      fmt.json do
+        render :json => {:success => false, :reason => "authentication failed"}, :status => 401
+      end
+    end
+  end
+
   def access_denied(exception = nil)
     previous_url = params[:url] || request.fullpath
 
diff --git a/app/logical/session_loader.rb b/app/logical/session_loader.rb
index 3040743a5..b479644f8 100644
--- a/app/logical/session_loader.rb
+++ b/app/logical/session_loader.rb
@@ -1,4 +1,6 @@
 class SessionLoader
+  class AuthenticationFailure < Exception ; end
+
   attr_reader :session, :cookies, :request, :params
 
   def initialize(session, cookies, request, params)
@@ -57,11 +59,19 @@ private
   def authenticate_api_key(name, api_key)
     CurrentUser.ip_addr = request.remote_ip
     CurrentUser.user = User.authenticate_api_key(name, api_key)
+
+    if CurrentUser.user.nil?
+      raise AuthenticationFailure.new
+    end
   end
   
   def authenticate_legacy_api_key(name, password_hash)
     CurrentUser.ip_addr = request.remote_ip
     CurrentUser.user = User.authenticate_hash(name, password_hash)
+
+    if CurrentUser.user.nil?
+      raise AuthenticationFailure.new
+    end
   end
 
   def load_session_user