From: Andy Allan <git@gravitystorm.co.uk>
Date: Wed, 2 Aug 2023 14:52:41 +0000 (+0100)
Subject: Merge pull request #4125 from tomhughes/oauth-scopes
X-Git-Tag: live~1472
X-Git-Url: https://git.openstreetmap.org./rails.git/commitdiff_plain/a56cdd547e286c1cd9cfe11d31bde413964c19ee?hp=9619e699e1daf2ec1127cdf0bba7ffe2aa3bbb0c

Merge pull request #4125 from tomhughes/oauth-scopes

Only show granted permissions in the authorized application list
---

diff --git a/app/models/oauth2_application.rb b/app/models/oauth2_application.rb
index 165761520..73a02417d 100644
--- a/app/models/oauth2_application.rb
+++ b/app/models/oauth2_application.rb
@@ -3,6 +3,10 @@ class Oauth2Application < Doorkeeper::Application
 
   validate :allowed_scopes
 
+  def authorized_scopes_for(user)
+    authorized_tokens.where(:resource_owner_id => user).sum(Doorkeeper::OAuth::Scopes.new, &:scopes)
+  end
+
   private
 
   def allowed_scopes
diff --git a/app/views/oauth2_authorized_applications/_application.html.erb b/app/views/oauth2_authorized_applications/_application.html.erb
index 7cb03de2f..8abbb26ed 100644
--- a/app/views/oauth2_authorized_applications/_application.html.erb
+++ b/app/views/oauth2_authorized_applications/_application.html.erb
@@ -4,7 +4,7 @@
   </td>
   <td class="align-middle">
     <ul class="list-unstyled mb-0">
-      <% application.scopes.each do |scope| -%>
+      <% application.authorized_scopes_for(current_user).each do |scope| -%>
         <li><%= t "oauth.scopes.#{scope}" %></li>
       <% end -%>
     </ul>
diff --git a/test/controllers/oauth2_authorized_applications_controller_test.rb b/test/controllers/oauth2_authorized_applications_controller_test.rb
index 347d3e40e..c01f7d6f3 100644
--- a/test/controllers/oauth2_authorized_applications_controller_test.rb
+++ b/test/controllers/oauth2_authorized_applications_controller_test.rb
@@ -36,6 +36,32 @@ class Oauth2AuthorizedApplicationsControllerTest < ActionDispatch::IntegrationTe
     assert_select "tbody tr", 2
   end
 
+  def test_index_scopes
+    user = create(:user)
+    application1 = create(:oauth_application, :scopes => %w[read_prefs write_prefs write_diary read_gpx write_gpx])
+    create(:oauth_access_grant, :resource_owner_id => user.id, :application => application1, :scopes => %w[read_prefs write_prefs])
+    create(:oauth_access_token, :resource_owner_id => user.id, :application => application1, :scopes => %w[read_prefs write_prefs])
+    create(:oauth_access_grant, :resource_owner_id => user.id, :application => application1, :scopes => %w[read_prefs write_diary])
+    create(:oauth_access_token, :resource_owner_id => user.id, :application => application1, :scopes => %w[read_prefs write_diary])
+
+    get oauth_authorized_applications_path
+    assert_response :redirect
+    assert_redirected_to login_path(:referer => oauth_authorized_applications_path)
+
+    session_for(user)
+
+    get oauth_authorized_applications_path
+    assert_response :success
+    assert_template "oauth2_authorized_applications/index"
+    assert_select "tbody tr", 1
+    assert_select "tbody tr td ul" do
+      assert_select "li", :count => 3
+      assert_select "li", :text => "Read user preferences"
+      assert_select "li", :text => "Modify user preferences"
+      assert_select "li", :text => "Create diary entries, comments and make friends"
+    end
+  end
+
   def test_destroy
     user = create(:user)
     application1 = create(:oauth_application)