From 2ba10928096637a1c25b6d29c7a18fa8756e93d3 Mon Sep 17 00:00:00 2001
From: Johannes Zellner <johannes@cloudron.io>
Date: Thu, 15 Oct 2015 16:49:13 +0200
Subject: [PATCH] Adhere to accessRestriction for oauth authorization endpoint

---
 src/routes/oauth2.js | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/src/routes/oauth2.js b/src/routes/oauth2.js
index eec834ce4..757f8d34e 100644
--- a/src/routes/oauth2.js
+++ b/src/routes/oauth2.js
@@ -3,6 +3,7 @@
 'use strict';
 
 var assert = require('assert'),
+    apps = require('../apps'),
     authcodedb = require('../authcodedb'),
     clientdb = require('../clientdb'),
     config = require('../config.js'),
@@ -380,10 +381,19 @@ var authorization = [
 
             callback(null, client, '/api/v1/session/callback?redirectURI=' + url.resolve(redirectOrigin, redirectPath));
         });
-    }, function (client, user, done) {
-        // This allows us to skip decision dialog
-        return done (null, true);
-    })
+    }),
+    function (req, res, next) {
+        debug('authorization: check accessPermissions');
+
+        appdb.get(req.oauth2.client.appId, function (error, appObject) {
+            if (error) return sendErrorPageOrRedirect(req, res, 'Invalid request. Unknown app for this client_id.');
+
+            if (!apps.hasAccessTo(appObject, req.oauth2.user)) return sendErrorPageOrRedirect(req, res, 'No access to this app.');
+
+            next();
+        });
+    },
+    gServer.decision({ loadTransaction: false })
 ];