diff options
author | Markus Koller <markus-koller@gmx.ch> | 2017-02-06 16:39:35 +0100 |
---|---|---|
committer | Alexis Reigel <mail@koffeinfrei.org> | 2017-03-07 15:00:29 +0100 |
commit | 8699c8338f21404aa08c9a141768201ed02b2c93 (patch) | |
tree | 168b3277c3c23a49268ec11dc38ed284ee610825 /app | |
parent | eefbc837301acc49a33617063faafa97adee307e (diff) | |
download | gitlab-ce-8699c8338f21404aa08c9a141768201ed02b2c93.tar.gz |
Require explicit scopes on personal access tokens
Gitlab::Auth and API::APIGuard already check for at least one valid
scope on personal access tokens, so if the scopes are empty the token
will always fail validation.
Diffstat (limited to 'app')
-rw-r--r-- | app/models/personal_access_token.rb | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/app/models/personal_access_token.rb b/app/models/personal_access_token.rb index f3e38aba7c9..df8a0612b18 100644 --- a/app/models/personal_access_token.rb +++ b/app/models/personal_access_token.rb @@ -9,7 +9,8 @@ class PersonalAccessToken < ActiveRecord::Base scope :active, -> { where(revoked: false).where("expires_at >= NOW() OR expires_at IS NULL") } scope :inactive, -> { where("revoked = true OR expires_at < NOW()") } - validate :validate_scopes + validates :scopes, presence: true + validate :validate_api_scopes def self.generate(params) personal_access_token = self.new(params) @@ -24,8 +25,8 @@ class PersonalAccessToken < ActiveRecord::Base protected - def validate_scopes - unless Set.new(scopes.map(&:to_sym)).subset?(Set.new(Gitlab::Auth::API_SCOPES)) + def validate_api_scopes + unless scopes.all? { |scope| Gitlab::Auth::API_SCOPES.include?(scope.to_sym) } errors.add :scopes, "can only contain API scopes" end end |