defmodule Pleroma.Plugs.OAuthScopesPlug do
import Plug.Conn
- alias Pleroma.Web.OAuth
+ import Pleroma.Web.Gettext
@behaviour Plug
- def init(%{required_scopes: _} = options), do: options
+ def init(%{scopes: _} = options), do: options
- def call(%Plug.Conn{assigns: assigns} = conn, %{required_scopes: required_scopes}) do
+ def call(%Plug.Conn{assigns: assigns} = conn, %{scopes: scopes} = options) do
+ op = options[:op] || :|
token = assigns[:token]
- granted_scopes = token && OAuth.parse_scopes(token.scope)
-
- if is_nil(token) || required_scopes -- granted_scopes == [] do
- conn
- else
- missing_scopes = required_scopes -- granted_scopes
- error_message = "Insufficient permissions: #{Enum.join(missing_scopes, ", ")}."
-
- conn
- |> put_resp_content_type("application/json")
- |> send_resp(403, Jason.encode!(%{error: error_message}))
- |> halt()
+
+ cond do
+ is_nil(token) ->
+ conn
+
+ op == :| && scopes -- token.scopes != scopes ->
+ conn
+
+ op == :& && scopes -- token.scopes == [] ->
+ conn
+
+ options[:fallback] == :proceed_unauthenticated ->
+ conn
+ |> assign(:user, nil)
+ |> assign(:token, nil)
+
+ true ->
+ missing_scopes = scopes -- token.scopes
+ permissions = Enum.join(missing_scopes, " #{op} ")
+
+ error_message =
+ dgettext("errors", "Insufficient permissions: %{permissions}.", permissions: permissions)
+
+ conn
+ |> put_resp_content_type("application/json")
+ |> send_resp(:forbidden, Jason.encode!(%{error: error_message}))
+ |> halt()
end
end
end