Extract a `Gitlab::Scope` class.

- To represent an authorization scope, such as `api` or `read_user`
- This is a better abstraction than the hash we were previously using.

1 files changed, 8 insertions, 9 deletions

diff --git a/app/services/access_token_validation_service.rb b/app/services/access_token_validation_service.rb
index ee2e93a0d63..bf5aef0055e 100644
--- a/app/services/access_token_validation_service.rb
+++ b/app/services/access_token_validation_service.rb
@@ -28,17 +28,16 @@ class AccessTokenValidationService
   end
 
   # True if the token's scope contains any of the passed scopes.
-  def include_any_scope?(scopes)
-    if scopes.blank?
+  def include_any_scope?(required_scopes)
+    if required_scopes.blank?
       true
     else
-      # Remove any scopes whose `if` condition does not return `true`
-      scopes = scopes.select { |scope| scope.if.nil? || scope.if.call(request) }
-
-      # Check whether the token is allowed access to any of the required scopes.
-      passed_scope_names = scopes.map { |scope| scope.name.to_sym }
-      token_scope_names = token.scopes.map(&:to_sym)
-      Set.new(passed_scope_names).intersection(Set.new(token_scope_names)).present?
+      # We're comparing each required_scope against all token scopes, which would
+      # take quadratic time. This consideration is irrelevant here because of the
+      # small number of records involved.
+      # https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/12300/#note_33689006
+      token_scopes = token.scopes.map(&:to_sym)
+      required_scopes.any? { |scope| scope.sufficient?(token_scopes, request) }
     end
   end
 end