From: Tom Hughes <tom@compton.nu>
Date: Sat, 26 Jun 2021 23:38:16 +0000 (+0100)
Subject: Make /api/0.6/permissions work for OAuth 2 clients
X-Git-Tag: live~2091
X-Git-Url: https://git.openstreetmap.org./rails.git/commitdiff_plain/608aafbf14da7d4372842828125a8a6eb492a61d

Make /api/0.6/permissions work for OAuth 2 clients
---

diff --git a/app/controllers/api/permissions_controller.rb b/app/controllers/api/permissions_controller.rb
index 9b168e04b..73b84f8ed 100644
--- a/app/controllers/api/permissions_controller.rb
+++ b/app/controllers/api/permissions_controller.rb
@@ -12,7 +12,9 @@ module Api
     # * if authenticated via basic auth all permissions are granted, so the list will contain all permissions.
     # * unauthenticated users have no permissions, so the list will be empty.
     def show
-      @permissions = if current_token.present?
+      @permissions = if doorkeeper_token.present?
+                       doorkeeper_token.scopes.map { |s| :"allow_#{s}" }
+                     elsif current_token.present?
                        ClientApplication.all_permissions.select { |p| current_token.read_attribute(p) }
                      elsif current_user
                        ClientApplication.all_permissions
diff --git a/test/controllers/api/permissions_controller_test.rb b/test/controllers/api/permissions_controller_test.rb
index b927ca703..3101abee2 100644
--- a/test/controllers/api/permissions_controller_test.rb
+++ b/test/controllers/api/permissions_controller_test.rb
@@ -31,7 +31,7 @@ module Api
       end
     end
 
-    def test_permissions_oauth
+    def test_permissions_oauth1
       token = create(:access_token,
                      :allow_read_prefs => true,
                      :allow_write_api => true,
@@ -45,5 +45,20 @@ module Api
         assert_select "permission[name='allow_read_gpx']", :count => 0
       end
     end
+
+    def test_permissions_oauth2
+      user = create(:user)
+      token = create(:oauth_access_token,
+                     :resource_owner_id => user.id,
+                     :scopes => %w[read_prefs write_api])
+      get permissions_path, :headers => bearer_authorization_header(token.token)
+      assert_response :success
+      assert_select "osm > permissions", :count => 1 do
+        assert_select "permission", :count => 2
+        assert_select "permission[name='allow_read_prefs']", :count => 1
+        assert_select "permission[name='allow_write_api']", :count => 1
+        assert_select "permission[name='allow_read_gpx']", :count => 0
+      end
+    end
   end
 end
diff --git a/test/factories/oauth_access_token.rb b/test/factories/oauth_access_token.rb
index c0f624530..5b39cb400 100644
--- a/test/factories/oauth_access_token.rb
+++ b/test/factories/oauth_access_token.rb
@@ -1,6 +1,5 @@
 FactoryBot.define do
   factory :oauth_access_token, :class => "Doorkeeper::AccessToken" do
-    association :resource_owner_id, :factory => :user
     association :application, :factory => :oauth_application
   end
 end