[#1427] Extra check that admin OAuth scope is used by admin. Adjusted tests.
This commit is contained in:
Ivan Tashkinov
parent
40e1817f70
commit
1770602747
4 changed files with 67 additions and 27 deletions
|
|
@ -1736,7 +1736,8 @@ defmodule Pleroma.User do
|
|||
|
||||
with {:ok, updated_user} <- update_and_set_cache(changeset) do
|
||||
if user.is_admin && !updated_user.is_admin do
|
||||
# Tokens & authorizations containing any admin scopes must be revoked (revoking all)
|
||||
# Tokens & authorizations containing any admin scopes must be revoked (revoking all).
|
||||
# This is an extra safety measure (tokens' admin scopes won't be accepted for non-admins).
|
||||
global_sign_out(user)
|
||||
end
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue