From 608aafbf14da7d4372842828125a8a6eb492a61d Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Sun, 27 Jun 2021 00:38:16 +0100 Subject: [PATCH] Make /api/0.6/permissions work for OAuth 2 clients --- app/controllers/api/permissions_controller.rb | 4 +++- .../api/permissions_controller_test.rb | 17 ++++++++++++++++- test/factories/oauth_access_token.rb | 1 - 3 files changed, 19 insertions(+), 3 deletions(-) diff --git a/app/controllers/api/permissions_controller.rb b/app/controllers/api/permissions_controller.rb index 9b168e04b..73b84f8ed 100644 --- a/app/controllers/api/permissions_controller.rb +++ b/app/controllers/api/permissions_controller.rb @@ -12,7 +12,9 @@ module Api # * if authenticated via basic auth all permissions are granted, so the list will contain all permissions. # * unauthenticated users have no permissions, so the list will be empty. def show - @permissions = if current_token.present? + @permissions = if doorkeeper_token.present? + doorkeeper_token.scopes.map { |s| :"allow_#{s}" } + elsif current_token.present? ClientApplication.all_permissions.select { |p| current_token.read_attribute(p) } elsif current_user ClientApplication.all_permissions diff --git a/test/controllers/api/permissions_controller_test.rb b/test/controllers/api/permissions_controller_test.rb index b927ca703..3101abee2 100644 --- a/test/controllers/api/permissions_controller_test.rb +++ b/test/controllers/api/permissions_controller_test.rb @@ -31,7 +31,7 @@ module Api end end - def test_permissions_oauth + def test_permissions_oauth1 token = create(:access_token, :allow_read_prefs => true, :allow_write_api => true, @@ -45,5 +45,20 @@ module Api assert_select "permission[name='allow_read_gpx']", :count => 0 end end + + def test_permissions_oauth2 + user = create(:user) + token = create(:oauth_access_token, + :resource_owner_id => user.id, + :scopes => %w[read_prefs write_api]) + get permissions_path, :headers => bearer_authorization_header(token.token) + assert_response :success + assert_select "osm > permissions", :count => 1 do + assert_select "permission", :count => 2 + assert_select "permission[name='allow_read_prefs']", :count => 1 + assert_select "permission[name='allow_write_api']", :count => 1 + assert_select "permission[name='allow_read_gpx']", :count => 0 + end + end end end diff --git a/test/factories/oauth_access_token.rb b/test/factories/oauth_access_token.rb index c0f624530..5b39cb400 100644 --- a/test/factories/oauth_access_token.rb +++ b/test/factories/oauth_access_token.rb @@ -1,6 +1,5 @@ FactoryBot.define do factory :oauth_access_token, :class => "Doorkeeper::AccessToken" do - association :resource_owner_id, :factory => :user association :application, :factory => :oauth_application end end -- 2.39.5