Allow moderators to get the admin scope again
Some checks are pending
ci/woodpecker/push/woodpecker Pipeline is pending
Some checks are pending
ci/woodpecker/push/woodpecker Pipeline is pending
Fixes #463
This commit is contained in:
parent
c8add9d1dc
commit
87d5e5b06a
2 changed files with 38 additions and 0 deletions
|
@ -71,6 +71,8 @@ def validate(scopes, app_scopes, _user) do
|
|||
"""
|
||||
def filter_admin_scopes(scopes, %Pleroma.User{is_admin: true}), do: scopes
|
||||
|
||||
def filter_admin_scopes(scopes, %Pleroma.User{is_moderator: true}), do: scopes
|
||||
|
||||
def filter_admin_scopes(scopes, _user) do
|
||||
drop_scopes = OAuthScopesPlug.filter_descendants(scopes, ["admin"])
|
||||
Enum.reject(scopes, fn scope -> Enum.member?(drop_scopes, scope) end)
|
||||
|
|
|
@ -728,6 +728,42 @@ test "redirects with oauth authorization, " <>
|
|||
assert auth.scopes == scopes_subset
|
||||
end
|
||||
|
||||
test "redirects with oauth authorization, " <>
|
||||
"granting requested app-supported scopes to moderators" do
|
||||
app_scopes = ["read", "write", "admin", "secret_scope"]
|
||||
app = insert(:oauth_app, scopes: app_scopes)
|
||||
redirect_uri = OAuthController.default_redirect_uri(app)
|
||||
scopes_subset = ["read:subscope", "write", "admin"]
|
||||
admin = insert(:user, is_moderator: true)
|
||||
|
||||
# In case scope param is missing, expecting _all_ app-supported scopes to be granted
|
||||
conn =
|
||||
post(
|
||||
build_conn(),
|
||||
"/oauth/authorize",
|
||||
%{
|
||||
"authorization" => %{
|
||||
"name" => admin.nickname,
|
||||
"password" => "test",
|
||||
"client_id" => app.client_id,
|
||||
"redirect_uri" => redirect_uri,
|
||||
"scope" => scopes_subset,
|
||||
"state" => "statepassed"
|
||||
}
|
||||
}
|
||||
)
|
||||
|
||||
target = redirected_to(conn)
|
||||
assert target =~ redirect_uri
|
||||
|
||||
query = URI.parse(target).query |> URI.query_decoder() |> Map.new()
|
||||
|
||||
assert %{"state" => "statepassed", "code" => code} = query
|
||||
auth = Repo.get_by(Authorization, token: code)
|
||||
assert auth
|
||||
assert auth.scopes == scopes_subset
|
||||
end
|
||||
|
||||
test "redirects with oauth authorization, " <>
|
||||
"granting requested app-supported scopes for non-admin users" do
|
||||
app_scopes = ["read", "write", "secret_scope", "admin"]
|
||||
|
|
Loading…
Reference in a new issue