Only use API scopes for personal access tokens

author: Markus Koller <markus-koller@gmx.ch> 2017-01-31 11:21:29 +0100
committer: Alexis Reigel <mail@koffeinfrei.org> 2017-03-07 15:00:29 +0100
commit: eefbc837301acc49a33617063faafa97adee307e (patch)
tree: b46f35df1792744897dfe1d31d9a519d19f09669 /app/models/personal_access_token.rb
parent: 93daeee16428707fc348f8c45215854aed6e117a (diff)
download: gitlab-ce-eefbc837301acc49a33617063faafa97adee307e.tar.gz
1 files changed, 10 insertions, 0 deletions
diff --git a/app/models/personal_access_token.rb b/app/models/personal_access_token.rb
index 10a34c42fd8..f3e38aba7c9 100644
--- a/app/models/personal_access_token.rb
+++ b/app/models/personal_access_token.rb
@@ -9,6 +9,8 @@ class PersonalAccessToken < ActiveRecord::Base
   scope :active, -> { where(revoked: false).where("expires_at >= NOW() OR expires_at IS NULL") }
   scope :inactive, -> { where("revoked = true OR expires_at < NOW()") }
 
+  validate :validate_scopes
+
   def self.generate(params)
     personal_access_token = self.new(params)
     personal_access_token.ensure_token
@@ -19,4 +21,12 @@ class PersonalAccessToken < ActiveRecord::Base
     self.revoked = true
     self.save
   end
+
+  protected
+
+  def validate_scopes
+    unless Set.new(scopes.map(&:to_sym)).subset?(Set.new(Gitlab::Auth::API_SCOPES))
+      errors.add :scopes, "can only contain API scopes"
+    end
+  end
 end
author	Markus Koller <markus-koller@gmx.ch>	2017-01-31 11:21:29 +0100
committer	Alexis Reigel <mail@koffeinfrei.org>	2017-03-07 15:00:29 +0100
commit	eefbc837301acc49a33617063faafa97adee307e (patch)
tree	b46f35df1792744897dfe1d31d9a519d19f09669 /app/models/personal_access_token.rb
parent	93daeee16428707fc348f8c45215854aed6e117a (diff)
download	gitlab-ce-eefbc837301acc49a33617063faafa97adee307e.tar.gz