X-Git-Url: https://git.openstreetmap.org./rails.git/blobdiff_plain/d642adc6e48798a6daa9a02a8a148a22e4d1f300..b7ee8034dc7625f9181f5f72d19c2dc95c70eeff:/app/controllers/api_controller.rb

diff --git a/app/controllers/api_controller.rb b/app/controllers/api_controller.rb
index 5faa39165..0fe1ba18d 100644
--- a/app/controllers/api_controller.rb
+++ b/app/controllers/api_controller.rb
@@ -65,9 +65,16 @@ class ApiController < ApplicationController
   def current_ability
     # Use capabilities from the oauth token if it exists and is a valid access token
     if doorkeeper_token&.accessible?
-      ApiAbility.new(doorkeeper_token)
+      user = User.find(doorkeeper_token.resource_owner_id)
+      scopes = Set.new doorkeeper_token.scopes
+      if scopes.include?("write_api")
+        scopes.add("write_map")
+        scopes.add("write_changeset_comments")
+        scopes.delete("write_api")
+      end
+      ApiAbility.new(user, scopes)
     else
-      ApiAbility.new(nil)
+      ApiAbility.new(nil, Set.new)
     end
   end
 
@@ -75,8 +82,6 @@ class ApiController < ApplicationController
     if doorkeeper_token
       set_locale
       report_error t("oauth.permissions.missing"), :forbidden
-    elsif current_user
-      head :forbidden
     else
       head :unauthorized
     end