diff options
author | Douwe Maan <douwe@gitlab.com> | 2017-07-05 13:25:38 +0000 |
---|---|---|
committer | Douwe Maan <douwe@gitlab.com> | 2017-07-05 13:25:38 +0000 |
commit | 98768953f31d9b4f243c52e4dd5579f21cb7976f (patch) | |
tree | fdf61ee0508168c9bcc05e8895876a06819ba7c6 /app/services | |
parent | 6df61942e9b42fe6a733606b89f3f16f3b20f1e2 (diff) | |
parent | 94258a6500855ca37e42e442ede642091a8d4366 (diff) | |
download | gitlab-ce-98768953f31d9b4f243c52e4dd5579f21cb7976f.tar.gz |
Merge branch '33580-fix-api-scoping' into 'master'
Fix API Scoping
Closes #33580 and #33022
See merge request !12300
Diffstat (limited to 'app/services')
-rw-r--r-- | app/services/access_token_validation_service.rb | 24 |
1 files changed, 18 insertions, 6 deletions
diff --git a/app/services/access_token_validation_service.rb b/app/services/access_token_validation_service.rb index b2a543daa00..9c00ea789ec 100644 --- a/app/services/access_token_validation_service.rb +++ b/app/services/access_token_validation_service.rb @@ -5,10 +5,11 @@ class AccessTokenValidationService REVOKED = :revoked INSUFFICIENT_SCOPE = :insufficient_scope - attr_reader :token + attr_reader :token, :request - def initialize(token) + def initialize(token, request: nil) @token = token + @request = request end def validate(scopes: []) @@ -27,12 +28,23 @@ class AccessTokenValidationService end # True if the token's scope contains any of the passed scopes. - def include_any_scope?(scopes) - if scopes.blank? + def include_any_scope?(required_scopes) + if required_scopes.blank? true else - # Check whether the token is allowed access to any of the required scopes. - Set.new(scopes).intersection(Set.new(token.scopes)).present? + # We're comparing each required_scope against all token scopes, which would + # take quadratic time. This consideration is irrelevant here because of the + # small number of records involved. + # https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/12300/#note_33689006 + token_scopes = token.scopes.map(&:to_sym) + + required_scopes.any? do |scope| + if scope.respond_to?(:sufficient?) + scope.sufficient?(token_scopes, request) + else + API::Scope.new(scope).sufficient?(token_scopes, request) + end + end end end end |