jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Ensure we hand out max user.scope

Browse Source 
The token.scope was valid at token creation time. The user's scope
could since have changed (maybe we got kicked out of a group).
This commit is contained in:
Girish Ramakrishnan
2018-04-30 22:06:51 -07:00
parent 200f43a58e
commit 240ee5f563
8 changed files with 159 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/accesscontrol.js
View File

@@ -82,7 +82,11 @@ function normalizeScope(maxScope, allowedScope) {
assert.strictEqual(typeof maxScope, 'string');
assert.strictEqual(typeof allowedScope, 'string');
if (maxScope === exports.SCOPE_ANY) return allowedScope;
const maxScopes = maxScope.split(',');
const allowedScopes = allowedScope.split(',');
return _.intersection(maxScope.split(','), allowedScope.split(',')).join(',');
if (maxScopes.indexOf(exports.SCOPE_ANY) !== -1) return allowedScope;
if (allowedScopes.indexOf(exports.SCOPE_ANY) !== -1) return maxScope;
return _.intersection(maxScopes, allowedScopes).join(',');
}