diff options
Diffstat (limited to 'lib/pleroma/plugs/oauth_scopes_plug.ex')
| -rw-r--r-- | lib/pleroma/plugs/oauth_scopes_plug.ex | 43 |
1 files changed, 25 insertions, 18 deletions
diff --git a/lib/pleroma/plugs/oauth_scopes_plug.ex b/lib/pleroma/plugs/oauth_scopes_plug.ex index a3278dbef..efc25b79f 100644 --- a/lib/pleroma/plugs/oauth_scopes_plug.ex +++ b/lib/pleroma/plugs/oauth_scopes_plug.ex @@ -1,37 +1,34 @@ # Pleroma: A lightweight social networking server -# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/> +# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/> # SPDX-License-Identifier: AGPL-3.0-only defmodule Pleroma.Plugs.OAuthScopesPlug do import Plug.Conn import Pleroma.Web.Gettext - alias Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug + alias Pleroma.Config - @behaviour Plug + use Pleroma.Web, :plug def init(%{scopes: _} = options), do: options - def call(%Plug.Conn{assigns: assigns} = conn, %{scopes: scopes} = options) do + @impl true + def perform(%Plug.Conn{assigns: assigns} = conn, %{scopes: scopes} = options) do op = options[:op] || :| token = assigns[:token] - matched_scopes = token && filter_descendants(scopes, token.scopes) - cond do - is_nil(token) -> - maybe_perform_instance_privacy_check(conn, options) + scopes = transform_scopes(scopes, options) + matched_scopes = (token && filter_descendants(scopes, token.scopes)) || [] - op == :| && Enum.any?(matched_scopes) -> + cond do + token && op == :| && Enum.any?(matched_scopes) -> conn - op == :& && matched_scopes == scopes -> + token && op == :& && matched_scopes == scopes -> conn options[:fallback] == :proceed_unauthenticated -> - conn - |> assign(:user, nil) - |> assign(:token, nil) - |> maybe_perform_instance_privacy_check(options) + drop_auth_info(conn) true -> missing_scopes = scopes -- matched_scopes @@ -47,6 +44,15 @@ defmodule Pleroma.Plugs.OAuthScopesPlug do end end + @doc "Drops authentication info from connection" + def drop_auth_info(conn) do + # To simplify debugging, setting a private variable on `conn` if auth info is dropped + conn + |> put_private(:authentication_ignored, true) + |> assign(:user, nil) + |> assign(:token, nil) + end + @doc "Filters descendants of supported scopes" def filter_descendants(scopes, supported_scopes) do Enum.filter( @@ -60,11 +66,12 @@ defmodule Pleroma.Plugs.OAuthScopesPlug do ) end - defp maybe_perform_instance_privacy_check(%Plug.Conn{} = conn, options) do - if options[:skip_instance_privacy_check] do - conn + @doc "Transforms scopes by applying supported options (e.g. :admin)" + def transform_scopes(scopes, options) do + if options[:admin] do + Config.oauth_admin_scopes(scopes) else - EnsurePublicOrAuthenticatedPlug.call(conn, []) + scopes end end end |