def call(%Plug.Conn{assigns: assigns} = conn, %{scopes: scopes} = options) do
op = options[:op] || :|
token = assigns[:token]
+ matched_scopes = token && filter_descendants(scopes, token.scopes)
cond do
is_nil(token) ->
conn
- op == :| && scopes -- token.scopes != scopes ->
+ op == :| && Enum.any?(matched_scopes) ->
conn
- op == :& && scopes -- token.scopes == [] ->
+ op == :& && matched_scopes == scopes ->
conn
options[:fallback] == :proceed_unauthenticated ->
|> assign(:token, nil)
true ->
- missing_scopes = scopes -- token.scopes
+ missing_scopes = scopes -- matched_scopes
permissions = Enum.join(missing_scopes, " #{op} ")
error_message =
|> halt()
end
end
+
+ @doc "Filters descendants of supported scopes"
+ def filter_descendants(scopes, supported_scopes) do
+ Enum.filter(
+ scopes,
+ fn scope ->
+ Enum.find(
+ supported_scopes,
+ &(scope == &1 || String.starts_with?(scope, &1 <> ":"))
+ )
+ end
+ )
+ end
end
alias Pleroma.Notification
alias Pleroma.Object
alias Pleroma.Pagination
+ alias Pleroma.Plugs.OAuthScopesPlug
alias Pleroma.Plugs.RateLimiter
alias Pleroma.Repo
alias Pleroma.ScheduledActivity
require Logger
require Pleroma.Constants
+ plug(
+ OAuthScopesPlug,
+ %{scopes: ["follow", "read:blocks"]} when action in [:blocks, :domain_blocks]
+ )
+
+ plug(
+ OAuthScopesPlug,
+ %{scopes: ["follow", "write:blocks"]}
+ when action in [:block, :unblock, :block_domain, :unblock_domain]
+ )
+
+ plug(OAuthScopesPlug, %{scopes: ["follow", "read:follows"]} when action == :follow_requests)
+
+ plug(
+ OAuthScopesPlug,
+ %{scopes: ["follow", "write:follows"]}
+ when action in [
+ :follow,
+ :unfollow,
+ :subscribe,
+ :unsubscribe,
+ :authorize_follow_request,
+ :reject_follow_request
+ ]
+ )
+
+ plug(OAuthScopesPlug, %{scopes: ["follow", "read:mutes"]} when action == :mutes)
+ plug(OAuthScopesPlug, %{scopes: ["follow", "write:mutes"]} when action in [:mute, :unmute])
+
+ plug(
+ OAuthScopesPlug,
+ %{scopes: ["write:mutes"]}
+ when action in [:mute_conversation, :unmute_conversation]
+ )
+
@rate_limited_relations_actions ~w(follow unfollow)a
@rate_limited_status_actions ~w(reblog_status unreblog_status fav_status unfav_status
defp validate_scopes(app, params) do
params
|> Scopes.fetch_scopes(app.scopes)
- |> Scopes.validates(app.scopes)
+ |> Scopes.validate(app.scopes)
end
def default_redirect_uri(%App{} = app) do
"""
@doc """
- Fetch scopes from requiest params.
+ Fetch scopes from request params.
Note: `scopes` is used by Mastodon — supporting it but sticking to
OAuth's standard `scope` wherever we control it
@doc """
Validates scopes.
"""
- @spec validates(list() | nil, list()) ::
+ @spec validate(list() | nil, list()) ::
{:ok, list()} | {:error, :missing_scopes | :unsupported_scopes}
- def validates([], _app_scopes), do: {:error, :missing_scopes}
- def validates(nil, _app_scopes), do: {:error, :missing_scopes}
+ def validate([], _app_scopes), do: {:error, :missing_scopes}
+ def validate(nil, _app_scopes), do: {:error, :missing_scopes}
- def validates(scopes, app_scopes) do
- case scopes -- app_scopes do
- [] -> {:ok, scopes}
+ def validate(scopes, app_scopes) do
+ case Pleroma.Plugs.OAuthScopesPlug.filter_descendants(scopes, app_scopes) do
+ ^scopes -> {:ok, scopes}
_ -> {:error, :unsupported_scopes}
end
end
plug(Pleroma.Plugs.OAuthScopesPlug, %{scopes: ["write"]})
end
- pipeline :oauth_follow do
- plug(Pleroma.Plugs.OAuthScopesPlug, %{scopes: ["follow"]})
- end
-
pipeline :oauth_push do
plug(Pleroma.Plugs.OAuthScopesPlug, %{scopes: ["push"]})
end
post("/main/ostatus", UtilController, :remote_subscribe)
get("/ostatus_subscribe", UtilController, :remote_follow)
-
- scope [] do
- pipe_through(:oauth_follow)
- post("/ostatus_subscribe", UtilController, :do_remote_follow)
- end
+ post("/ostatus_subscribe", UtilController, :do_remote_follow)
end
scope "/api/pleroma", Pleroma.Web.TwitterAPI do
end
scope [] do
- pipe_through(:oauth_follow)
-
post("/blocks_import", UtilController, :blocks_import)
post("/follow_import", UtilController, :follow_import)
end
end
scope [] do
- pipe_through(:oauth_follow)
-
post("/follows", MastodonAPIController, :follow)
post("/accounts/:id/follow", MastodonAPIController, :follow)
alias Pleroma.Healthcheck
alias Pleroma.Notification
alias Pleroma.Plugs.AuthenticationPlug
+ alias Pleroma.Plugs.OAuthScopesPlug
alias Pleroma.User
alias Pleroma.Web
alias Pleroma.Web.CommonAPI
alias Pleroma.Web.WebFinger
+ plug(
+ OAuthScopesPlug,
+ %{scopes: ["follow", "write:follows"]}
+ when action in [:do_remote_follow, :follow_import]
+ )
+
+ plug(OAuthScopesPlug, %{scopes: ["follow", "write:blocks"]} when action == :blocks_import)
+
plug(Pleroma.Plugs.SetFormatPlug when action in [:config, :version])
def help_test(conn, _params) do
refute conn.assigns[:user]
end
- test "returns 403 and halts in case of no :fallback option and `token.scopes` not fulfilling specified 'any of' conditions",
+ test "returns 403 and halts " <>
+ "in case of no :fallback option and `token.scopes` not fulfilling specified 'any of' conditions",
%{conn: conn} do
token = insert(:oauth_token, scopes: ["read", "write"])
any_of_scopes = ["follow"]
assert Jason.encode!(%{error: expected_error}) == conn.resp_body
end
- test "returns 403 and halts in case of no :fallback option and `token.scopes` not fulfilling specified 'all of' conditions",
+ test "returns 403 and halts " <>
+ "in case of no :fallback option and `token.scopes` not fulfilling specified 'all of' conditions",
%{conn: conn} do
token = insert(:oauth_token, scopes: ["read", "write"])
all_of_scopes = ["write", "follow"]
assert Jason.encode!(%{error: expected_error}) == conn.resp_body
end
+
+ describe "with hierarchical scopes, " do
+ test "proceeds with no op if `token.scopes` fulfill specified 'any of' conditions", %{
+ conn: conn
+ } do
+ token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
+
+ conn =
+ conn
+ |> assign(:user, token.user)
+ |> assign(:token, token)
+ |> OAuthScopesPlug.call(%{scopes: ["read:something"]})
+
+ refute conn.halted
+ assert conn.assigns[:user]
+ end
+
+ test "proceeds with no op if `token.scopes` fulfill specified 'all of' conditions", %{
+ conn: conn
+ } do
+ token = insert(:oauth_token, scopes: ["scope1", "scope2", "scope3"]) |> Repo.preload(:user)
+
+ conn =
+ conn
+ |> assign(:user, token.user)
+ |> assign(:token, token)
+ |> OAuthScopesPlug.call(%{scopes: ["scope1:subscope", "scope2:subscope"], op: :&})
+
+ refute conn.halted
+ assert conn.assigns[:user]
+ end
+ end
end
assert response == "job started"
end
- test "requires 'follow' permission", %{conn: conn} do
+ test "requires 'follow' or 'write:follows' permissions", %{conn: conn} do
token1 = insert(:oauth_token, scopes: ["read", "write"])
token2 = insert(:oauth_token, scopes: ["follow"])
+ token3 = insert(:oauth_token, scopes: ["something"])
another_user = insert(:user)
- for token <- [token1, token2] do
+ for token <- [token1, token2, token3] do
conn =
conn
|> put_req_header("authorization", "Bearer #{token.token}")
|> post("/api/pleroma/follow_import", %{"list" => "#{another_user.ap_id}"})
- if token == token1 do
- assert %{"error" => "Insufficient permissions: follow."} == json_response(conn, 403)
+ if token == token3 do
+ assert %{"error" => "Insufficient permissions: follow | write:follows."} ==
+ json_response(conn, 403)
else
assert json_response(conn, 200)
end
projects / akkoma / commitdiff