Commit 43a18d09 authored by Thomas Löffler's avatar Thomas Löffler

Merge branch '496-i-can-t-create-an-access-token-for-one-extension-only' into 'develop'

[BUGFIX] Respect requested scope for extension restriction

Closes #496

See merge request t3o/ter!628
parents 3395676b 7067331e
Pipeline #10183 failed
......@@ -92,13 +92,14 @@ abstract class AbstractGrant implements GrantInterface
protected function issueAccessToken(ServerRequestInterface $request): AccessToken
{
$user = $request->getAttribute('api.user');
$requestedScope = $this->getScope($request, $user);
$accessToken = new AccessToken(
$this->random->generateRandomHexString($this->configurationService->getRandomLength()),
$user->getId(),
$this->timestamp,
$this->getExpires($request),
$this->getScope($request, $user),
$this->getExtensions($request, $user),
$requestedScope,
$this->getExtensions($request, $user, $requestedScope),
$this->getName($request),
);
......@@ -173,12 +174,23 @@ abstract class AbstractGrant implements GrantInterface
return $scope;
}
protected function getExtensions(ServerRequestInterface $request, ApiUserInterface $user): string
{
protected function getExtensions(
ServerRequestInterface $request,
ApiUserInterface $user,
int $requestedScope
): string {
$extensions = $request->getAttribute('routing')->offsetGet('routeArguments')->getPropertyValue('extensions');
$allowedExtensions = $this->extensionRepository->findExtensionKeysForUser($user->getName());
if ($extensions === null || $allowedExtensions === [] || $user->getScope()->isController()) {
// Skip restricting extensions if non were requested, the user does not have any
// extensions to restrict or in case the requesting user (the current API user)
// is a controller and also requested a controller scope. The latter means the
// token will allow the user to access all extensions since it will be a so called
// "controller" token, so we don't have to add any restrictions.
if ($extensions === null
|| $allowedExtensions === []
|| ($user->getScope()->isController() && (new Scope($requestedScope))->isController())
) {
return '';
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment