commit: 1f498ba2bb77a6dd103631d9de1e5c1bbfaaea10
parent: 67a478d7090cdb9b7ca6338839fba8160f15f60a
Author: lain <lain@soykaf.club>
Date: Wed, 11 Dec 2019 08:50:43 +0000
Merge branch '1427-oauth-admin-scopes' into 'develop'
[#1427] Fixed `:admin` option handling in OAuthScopesPlug, added tests
Closes #1427
See merge request pleroma/pleroma!2053
Diffstat:
3 files changed, 56 insertions(+), 10 deletions(-)
diff --git a/lib/pleroma/config.ex b/lib/pleroma/config.ex
@@ -68,8 +68,13 @@ defmodule Pleroma.Config do
def enforce_oauth_admin_scope_usage?, do: !!get([:auth, :enforce_oauth_admin_scope_usage])
- def oauth_admin_scopes(scope) do
- ["admin:#{scope}"] ++
- if enforce_oauth_admin_scope_usage?(), do: [], else: [scope]
+ def oauth_admin_scopes(scopes) when is_list(scopes) do
+ Enum.flat_map(
+ scopes,
+ fn scope ->
+ ["admin:#{scope}"] ++
+ if enforce_oauth_admin_scope_usage?(), do: [], else: [scope]
+ end
+ )
end
end
diff --git a/lib/pleroma/plugs/oauth_scopes_plug.ex b/lib/pleroma/plugs/oauth_scopes_plug.ex
@@ -17,13 +17,7 @@ defmodule Pleroma.Plugs.OAuthScopesPlug do
op = options[:op] || :|
token = assigns[:token]
- scopes =
- if options[:admin] do
- Config.oauth_admin_scopes(scopes)
- else
- scopes
- end
-
+ scopes = transform_scopes(scopes, options)
matched_scopes = token && filter_descendants(scopes, token.scopes)
cond do
@@ -69,6 +63,15 @@ defmodule Pleroma.Plugs.OAuthScopesPlug do
)
end
+ @doc "Transforms scopes by applying supported options (e.g. :admin)"
+ def transform_scopes(scopes, options) do
+ if options[:admin] do
+ Config.oauth_admin_scopes(scopes)
+ else
+ scopes
+ end
+ end
+
defp maybe_perform_instance_privacy_check(%Plug.Conn{} = conn, options) do
if options[:skip_instance_privacy_check] do
conn
diff --git a/test/plugs/oauth_scopes_plug_test.exs b/test/plugs/oauth_scopes_plug_test.exs
@@ -224,4 +224,42 @@ defmodule Pleroma.Plugs.OAuthScopesPlugTest do
assert f.(["admin:read"], ["write", "admin"]) == ["admin:read"]
end
end
+
+ describe "transform_scopes/2" do
+ clear_config([:auth, :enforce_oauth_admin_scope_usage])
+
+ setup do
+ {:ok, %{f: &OAuthScopesPlug.transform_scopes/2}}
+ end
+
+ test "with :admin option, prefixes all requested scopes with `admin:` " <>
+ "and [optionally] keeps only prefixed scopes, " <>
+ "depending on `[:auth, :enforce_oauth_admin_scope_usage]` setting",
+ %{f: f} do
+ Pleroma.Config.put([:auth, :enforce_oauth_admin_scope_usage], false)
+
+ assert f.(["read"], %{admin: true}) == ["admin:read", "read"]
+
+ assert f.(["read", "write"], %{admin: true}) == [
+ "admin:read",
+ "read",
+ "admin:write",
+ "write"
+ ]
+
+ Pleroma.Config.put([:auth, :enforce_oauth_admin_scope_usage], true)
+
+ assert f.(["read:accounts"], %{admin: true}) == ["admin:read:accounts"]
+
+ assert f.(["read", "write:reports"], %{admin: true}) == [
+ "admin:read",
+ "admin:write:reports"
+ ]
+ end
+
+ test "with no supported options, returns unmodified scopes", %{f: f} do
+ assert f.(["read"], %{}) == ["read"]
+ assert f.(["read", "write"], %{}) == ["read", "write"]
+ end
+ end
end
