Is it acceptable to support sys_api_key in HTTP header?
Rest API key can be set at HTTP header while sys_api_key is NOT.
From the security point of view, sys_api_key should also be able to be passed via HTTP header as Rest API key is.
params[:key] is used for sys_api_key so that I think it's also OK to use X-Redmine-API-Key http header for sys_api_key as well.
As the result, can we refactor params[:key] in SysController#check_enabled with ApplicationController#api_key_from_request ?
(Actually SysController does NOT inherit ApplicationController so that "api_key_from_request" method would be better to be factored out to any Concern-ed module and include from the both controllers. )
If this is acceptable, let me post my patch with some testing code.