diff --git a/lib/pleroma/web/o_auth/scopes.ex b/lib/pleroma/web/o_auth/scopes.ex index 344ecd631..a170eb33b 100644 --- a/lib/pleroma/web/o_auth/scopes.ex +++ b/lib/pleroma/web/o_auth/scopes.ex @@ -71,6 +71,8 @@ def validate(scopes, app_scopes, _user) do """ def filter_admin_scopes(scopes, %Pleroma.User{is_admin: true}), do: scopes + def filter_admin_scopes(scopes, %Pleroma.User{is_moderator: true}), do: scopes + def filter_admin_scopes(scopes, _user) do drop_scopes = OAuthScopesPlug.filter_descendants(scopes, ["admin"]) Enum.reject(scopes, fn scope -> Enum.member?(drop_scopes, scope) end) diff --git a/test/pleroma/web/o_auth/o_auth_controller_test.exs b/test/pleroma/web/o_auth/o_auth_controller_test.exs index 303bc2cf2..9924023fe 100644 --- a/test/pleroma/web/o_auth/o_auth_controller_test.exs +++ b/test/pleroma/web/o_auth/o_auth_controller_test.exs @@ -728,6 +728,42 @@ test "redirects with oauth authorization, " <> assert auth.scopes == scopes_subset end + test "redirects with oauth authorization, " <> + "granting requested app-supported scopes to moderators" do + app_scopes = ["read", "write", "admin", "secret_scope"] + app = insert(:oauth_app, scopes: app_scopes) + redirect_uri = OAuthController.default_redirect_uri(app) + scopes_subset = ["read:subscope", "write", "admin"] + admin = insert(:user, is_moderator: true) + + # In case scope param is missing, expecting _all_ app-supported scopes to be granted + conn = + post( + build_conn(), + "/oauth/authorize", + %{ + "authorization" => %{ + "name" => admin.nickname, + "password" => "test", + "client_id" => app.client_id, + "redirect_uri" => redirect_uri, + "scope" => scopes_subset, + "state" => "statepassed" + } + } + ) + + target = redirected_to(conn) + assert target =~ redirect_uri + + query = URI.parse(target).query |> URI.query_decoder() |> Map.new() + + assert %{"state" => "statepassed", "code" => code} = query + auth = Repo.get_by(Authorization, token: code) + assert auth + assert auth.scopes == scopes_subset + end + test "redirects with oauth authorization, " <> "granting requested app-supported scopes for non-admin users" do app_scopes = ["read", "write", "secret_scope", "admin"]