diff options
author | Timothy Andrew <mail@timothyandrew.net> | 2017-06-20 08:27:45 +0000 |
---|---|---|
committer | Timothy Andrew <mail@timothyandrew.net> | 2017-06-28 07:17:13 +0000 |
commit | 80c1ebaa83f346e45346baac584f21878652c350 (patch) | |
tree | 9a4aa49a6ad51aee496696b4284979da4ff670eb /app/services/access_token_validation_service.rb | |
parent | 6f1922500bc9e2c6d53c46dfcbd420687dfe6e6b (diff) | |
download | gitlab-ce-80c1ebaa83f346e45346baac584f21878652c350.tar.gz |
Allow API scope declarations to be applied conditionally.
- Scope declarations of the form:
allow_access_with_scope :read_user, if: -> (request) { request.get? }
will only apply for `GET` requests
- Add a negative test to a `POST` endpoint in the `users` API to test this. Also
test for this case in the `AccessTokenValidationService` unit tests.
Diffstat (limited to 'app/services/access_token_validation_service.rb')
-rw-r--r-- | app/services/access_token_validation_service.rb | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/app/services/access_token_validation_service.rb b/app/services/access_token_validation_service.rb index f171f8194bd..6d39ad245d2 100644 --- a/app/services/access_token_validation_service.rb +++ b/app/services/access_token_validation_service.rb @@ -5,10 +5,11 @@ class AccessTokenValidationService REVOKED = :revoked INSUFFICIENT_SCOPE = :insufficient_scope - attr_reader :token + attr_reader :token, :request - def initialize(token) + def initialize(token, request) @token = token + @request = request end def validate(scopes: []) @@ -31,11 +32,13 @@ class AccessTokenValidationService if scopes.blank? true else - #scopes = scopes.reject { |scope| scope[:if].presence && !scope[:if].call(request) } - # Check whether the token is allowed access to any of the required scopes. + # Remove any scopes whose `if` condition does not return `true` + scopes = scopes.reject { |scope| scope[:if].presence && !scope[:if].call(request) } - scope_names = scopes.map { |scope| scope[:name].to_s } - Set.new(scope_names).intersection(Set.new(token.scopes)).present? + # Check whether the token is allowed access to any of the required scopes. + passed_scope_names = scopes.map { |scope| scope[:name].to_sym } + token_scope_names = token.scopes.map(&:to_sym) + Set.new(passed_scope_names).intersection(Set.new(token_scope_names)).present? end end end |