akkoma/lib/pleroma/web/plugs/o_auth_scopes_plug.ex
rinpatch 2ab9499258 OAuthScopesPlug: remove transform_scopes in favor of explicit admin scope definitions
Transforming scopes is no longer necessary since we are dropping
support for accessing admin api without `admin:` prefix in scopes.
2021-02-17 21:37:23 +03:00

59 lines
1.6 KiB
Elixir

# Pleroma: A lightweight social networking server
# Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.Web.Plugs.OAuthScopesPlug do
import Plug.Conn
import Pleroma.Web.Gettext
alias Pleroma.Helpers.AuthHelper
use Pleroma.Web, :plug
def init(%{scopes: _} = options), do: options
@impl true
def perform(%Plug.Conn{assigns: assigns} = conn, %{scopes: scopes} = options) do
op = options[:op] || :|
token = assigns[:token]
matched_scopes = (token && filter_descendants(scopes, token.scopes)) || []
cond do
token && op == :| && Enum.any?(matched_scopes) ->
conn
token && op == :& && matched_scopes == scopes ->
conn
options[:fallback] == :proceed_unauthenticated ->
AuthHelper.drop_auth_info(conn)
true ->
missing_scopes = scopes -- matched_scopes
permissions = Enum.join(missing_scopes, " #{op} ")
error_message =
dgettext("errors", "Insufficient permissions: %{permissions}.", permissions: permissions)
conn
|> put_resp_content_type("application/json")
|> send_resp(:forbidden, Jason.encode!(%{error: error_message}))
|> halt()
end
end
@doc "Keeps those of `scopes` which are descendants of `supported_scopes`"
def filter_descendants(scopes, supported_scopes) do
Enum.filter(
scopes,
fn scope ->
Enum.find(
supported_scopes,
&(scope == &1 || String.starts_with?(scope, &1 <> ":"))
)
end
)
end
end