hj/pleroma
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

[#1427] Graceful clearance of OAuth admin scopes for non-admin users (no error raised).

Browse source 
PleromaFE and other clients may safely request admin scope(s): if user isn't an admin, request is successful but only non-admin scopes from request are granted.
This commit is contained in:
Ivan Tashkinov 2019-12-12 16:00:06 +03:00
commit 81b05340e9
2 changed files with 57 additions and 44 deletions
Download patch file Download diff file Expand all files Collapse all files

4
lib/pleroma/web/oauth/scopes.ex
View file

@ -79,7 +79,9 @@ defmodule Pleroma.Web.OAuth.Scopes do
if user.is_admin || !contains_admin_scopes?(scopes) || !contains_admin_scopes?(app_scopes) do
{:ok, scopes}
else
{:error, :unsupported_scopes}
# Gracefully dropping admin scopes from requested scopes if user isn't an admin (not raising)
scopes = scopes -- OAuthScopesPlug.filter_descendants(scopes, ["admin"])
validate(scopes, app_scopes, user)
end
end