From c376962c9cc08d7787c28e447705c19242c0d638 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Sun, 30 Jul 2023 20:35:13 +0100
Subject: [PATCH] Only show granted permissions in the authorized application
 list

Fixes #4124
---
 app/models/oauth2_application.rb              |  4 +++
 .../_application.html.erb                     |  2 +-
 ...authorized_applications_controller_test.rb | 26 +++++++++++++++++++
 3 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/app/models/oauth2_application.rb b/app/models/oauth2_application.rb
index 165761520..73a02417d 100644
--- a/app/models/oauth2_application.rb
+++ b/app/models/oauth2_application.rb
@@ -3,6 +3,10 @@ class Oauth2Application < Doorkeeper::Application
 
   validate :allowed_scopes
 
+  def authorized_scopes_for(user)
+    authorized_tokens.where(:resource_owner_id => user).sum(Doorkeeper::OAuth::Scopes.new, &:scopes)
+  end
+
   private
 
   def allowed_scopes
diff --git a/app/views/oauth2_authorized_applications/_application.html.erb b/app/views/oauth2_authorized_applications/_application.html.erb
index 7cb03de2f..8abbb26ed 100644
--- a/app/views/oauth2_authorized_applications/_application.html.erb
+++ b/app/views/oauth2_authorized_applications/_application.html.erb
@@ -4,7 +4,7 @@
   </td>
   <td class="align-middle">
     <ul class="list-unstyled mb-0">
-      <% application.scopes.each do |scope| -%>
+      <% application.authorized_scopes_for(current_user).each do |scope| -%>
         <li><%= t "oauth.scopes.#{scope}" %></li>
       <% end -%>
     </ul>
diff --git a/test/controllers/oauth2_authorized_applications_controller_test.rb b/test/controllers/oauth2_authorized_applications_controller_test.rb
index 347d3e40e..c01f7d6f3 100644
--- a/test/controllers/oauth2_authorized_applications_controller_test.rb
+++ b/test/controllers/oauth2_authorized_applications_controller_test.rb
@@ -36,6 +36,32 @@ class Oauth2AuthorizedApplicationsControllerTest < ActionDispatch::IntegrationTe
     assert_select "tbody tr", 2
   end
 
+  def test_index_scopes
+    user = create(:user)
+    application1 = create(:oauth_application, :scopes => %w[read_prefs write_prefs write_diary read_gpx write_gpx])
+    create(:oauth_access_grant, :resource_owner_id => user.id, :application => application1, :scopes => %w[read_prefs write_prefs])
+    create(:oauth_access_token, :resource_owner_id => user.id, :application => application1, :scopes => %w[read_prefs write_prefs])
+    create(:oauth_access_grant, :resource_owner_id => user.id, :application => application1, :scopes => %w[read_prefs write_diary])
+    create(:oauth_access_token, :resource_owner_id => user.id, :application => application1, :scopes => %w[read_prefs write_diary])
+
+    get oauth_authorized_applications_path
+    assert_response :redirect
+    assert_redirected_to login_path(:referer => oauth_authorized_applications_path)
+
+    session_for(user)
+
+    get oauth_authorized_applications_path
+    assert_response :success
+    assert_template "oauth2_authorized_applications/index"
+    assert_select "tbody tr", 1
+    assert_select "tbody tr td ul" do
+      assert_select "li", :count => 3
+      assert_select "li", :text => "Read user preferences"
+      assert_select "li", :text => "Modify user preferences"
+      assert_select "li", :text => "Create diary entries, comments and make friends"
+    end
+  end
+
   def test_destroy
     user = create(:user)
     application1 = create(:oauth_application)
-- 
2.39.5