Fix #2785: Allow changing API key; require password to view or change key.

app/controllers/api_keys_controller.rb

@@ -1,17 +0,0 @@
-class ApiKeysController < ApplicationController
-  before_filter :member_only
-
-  def new
-    @api_key = ApiKey.new(:user_id => CurrentUser.user.id)
-  end
-
-  def create
-    @api_key = ApiKey.generate!(CurrentUser.user)
-    
-    if @api_key.errors.empty?
-      redirect_to user_path(CurrentUser.user), :notice => "API key generated"
-    else
-      render :action => "new"
-    end
-  end
-end

app/controllers/maintenance/user/api_keys_controller.rb

@@ -0,0 +1,44 @@
+module Maintenance
+  module User
+    class ApiKeysController < ApplicationController
+      before_filter :member_only
+      before_filter :check_privilege
+      before_filter :authenticate!, :except => [:show]
+      rescue_from ::SessionLoader::AuthenticationFailure, :with => :authentication_failed
+      respond_to :html, :json, :xml
+
+      def view
+        respond_with(CurrentUser.user, @api_key)
+      end
+
+      def update
+        @api_key.regenerate!
+        respond_with(CurrentUser.user, @api_key) { |format| format.js }
+      end
+
+      def destroy
+        @api_key.destroy
+        respond_with(CurrentUser.user, @api_key, location: CurrentUser.user)
+      end
+
+      protected
+
+      def check_privilege
+        raise ::User::PrivilegeError unless params[:user_id].to_i == CurrentUser.id
+      end
+
+      def authenticate!
+        if ::User.authenticate(CurrentUser.user.name, params[:user][:password]) == CurrentUser.user
+          @api_key = CurrentUser.user.api_key || ApiKey.generate!(CurrentUser.user)
+          @password = params[:user][:password]
+        else
+          raise ::SessionLoader::AuthenticationFailure
+        end
+      end
+
+      def authentication_failed
+        redirect_to(user_api_key_path(CurrentUser.user), :notice => "Password was incorrect.")
+      end
+    end
+  end
+end