Allow moderators to get the admin scope again
Some checks are pending
ci/woodpecker/push/woodpecker Pipeline is pending
Some checks are pending
ci/woodpecker/push/woodpecker Pipeline is pending
Fixes #463
This commit is contained in:
parent
c8add9d1dc
commit
87d5e5b06a
2 changed files with 38 additions and 0 deletions
|
@ -71,6 +71,8 @@ def validate(scopes, app_scopes, _user) do
|
||||||
"""
|
"""
|
||||||
def filter_admin_scopes(scopes, %Pleroma.User{is_admin: true}), do: scopes
|
def filter_admin_scopes(scopes, %Pleroma.User{is_admin: true}), do: scopes
|
||||||
|
|
||||||
|
def filter_admin_scopes(scopes, %Pleroma.User{is_moderator: true}), do: scopes
|
||||||
|
|
||||||
def filter_admin_scopes(scopes, _user) do
|
def filter_admin_scopes(scopes, _user) do
|
||||||
drop_scopes = OAuthScopesPlug.filter_descendants(scopes, ["admin"])
|
drop_scopes = OAuthScopesPlug.filter_descendants(scopes, ["admin"])
|
||||||
Enum.reject(scopes, fn scope -> Enum.member?(drop_scopes, scope) end)
|
Enum.reject(scopes, fn scope -> Enum.member?(drop_scopes, scope) end)
|
||||||
|
|
|
@ -728,6 +728,42 @@ test "redirects with oauth authorization, " <>
|
||||||
assert auth.scopes == scopes_subset
|
assert auth.scopes == scopes_subset
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "redirects with oauth authorization, " <>
|
||||||
|
"granting requested app-supported scopes to moderators" do
|
||||||
|
app_scopes = ["read", "write", "admin", "secret_scope"]
|
||||||
|
app = insert(:oauth_app, scopes: app_scopes)
|
||||||
|
redirect_uri = OAuthController.default_redirect_uri(app)
|
||||||
|
scopes_subset = ["read:subscope", "write", "admin"]
|
||||||
|
admin = insert(:user, is_moderator: true)
|
||||||
|
|
||||||
|
# In case scope param is missing, expecting _all_ app-supported scopes to be granted
|
||||||
|
conn =
|
||||||
|
post(
|
||||||
|
build_conn(),
|
||||||
|
"/oauth/authorize",
|
||||||
|
%{
|
||||||
|
"authorization" => %{
|
||||||
|
"name" => admin.nickname,
|
||||||
|
"password" => "test",
|
||||||
|
"client_id" => app.client_id,
|
||||||
|
"redirect_uri" => redirect_uri,
|
||||||
|
"scope" => scopes_subset,
|
||||||
|
"state" => "statepassed"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
)
|
||||||
|
|
||||||
|
target = redirected_to(conn)
|
||||||
|
assert target =~ redirect_uri
|
||||||
|
|
||||||
|
query = URI.parse(target).query |> URI.query_decoder() |> Map.new()
|
||||||
|
|
||||||
|
assert %{"state" => "statepassed", "code" => code} = query
|
||||||
|
auth = Repo.get_by(Authorization, token: code)
|
||||||
|
assert auth
|
||||||
|
assert auth.scopes == scopes_subset
|
||||||
|
end
|
||||||
|
|
||||||
test "redirects with oauth authorization, " <>
|
test "redirects with oauth authorization, " <>
|
||||||
"granting requested app-supported scopes for non-admin users" do
|
"granting requested app-supported scopes for non-admin users" do
|
||||||
app_scopes = ["read", "write", "secret_scope", "admin"]
|
app_scopes = ["read", "write", "secret_scope", "admin"]
|
||||||
|
|
Loading…
Reference in a new issue