+
+ defp authorize_admin_scopes(scopes, app_scopes, %User{} = user) do
+ if user.is_admin || !contains_admin_scopes?(scopes) || !contains_admin_scopes?(app_scopes) do
+ {:ok, scopes}
+ else
+ # Gracefully dropping admin scopes from requested scopes if user isn't an admin (not raising)
+ scopes = scopes -- OAuthScopesPlug.filter_descendants(scopes, ["admin"])
+ validate(scopes, app_scopes, user)
+ end
+ end
+
+ def contains_admin_scopes?(scopes) do
+ scopes
+ |> OAuthScopesPlug.filter_descendants(["admin"])
+ |> Enum.any?()
+ end