Allow moderators to get the admin scope again
Some checks are pending
ci/woodpecker/push/woodpecker Pipeline is pending

Fixes #463
This commit is contained in:
FloatingGhost 2023-03-08 17:39:35 +00:00
parent c8add9d1dc
commit 87d5e5b06a
2 changed files with 38 additions and 0 deletions

View file

@ -71,6 +71,8 @@ def validate(scopes, app_scopes, _user) do
""" """
def filter_admin_scopes(scopes, %Pleroma.User{is_admin: true}), do: scopes def filter_admin_scopes(scopes, %Pleroma.User{is_admin: true}), do: scopes
def filter_admin_scopes(scopes, %Pleroma.User{is_moderator: true}), do: scopes
def filter_admin_scopes(scopes, _user) do def filter_admin_scopes(scopes, _user) do
drop_scopes = OAuthScopesPlug.filter_descendants(scopes, ["admin"]) drop_scopes = OAuthScopesPlug.filter_descendants(scopes, ["admin"])
Enum.reject(scopes, fn scope -> Enum.member?(drop_scopes, scope) end) Enum.reject(scopes, fn scope -> Enum.member?(drop_scopes, scope) end)

View file

@ -728,6 +728,42 @@ test "redirects with oauth authorization, " <>
assert auth.scopes == scopes_subset assert auth.scopes == scopes_subset
end end
test "redirects with oauth authorization, " <>
"granting requested app-supported scopes to moderators" do
app_scopes = ["read", "write", "admin", "secret_scope"]
app = insert(:oauth_app, scopes: app_scopes)
redirect_uri = OAuthController.default_redirect_uri(app)
scopes_subset = ["read:subscope", "write", "admin"]
admin = insert(:user, is_moderator: true)
# In case scope param is missing, expecting _all_ app-supported scopes to be granted
conn =
post(
build_conn(),
"/oauth/authorize",
%{
"authorization" => %{
"name" => admin.nickname,
"password" => "test",
"client_id" => app.client_id,
"redirect_uri" => redirect_uri,
"scope" => scopes_subset,
"state" => "statepassed"
}
}
)
target = redirected_to(conn)
assert target =~ redirect_uri
query = URI.parse(target).query |> URI.query_decoder() |> Map.new()
assert %{"state" => "statepassed", "code" => code} = query
auth = Repo.get_by(Authorization, token: code)
assert auth
assert auth.scopes == scopes_subset
end
test "redirects with oauth authorization, " <> test "redirects with oauth authorization, " <>
"granting requested app-supported scopes for non-admin users" do "granting requested app-supported scopes for non-admin users" do
app_scopes = ["read", "write", "secret_scope", "admin"] app_scopes = ["read", "write", "secret_scope", "admin"]