0006-Use-Redmine-s-permissions-as-OAuth2-scopes.patch - Redmine

app/controllers/application_controller.rb
115	115	elsif access_token = Doorkeeper.authenticate(request)
116	116	if access_token.accessible?
117	117	user = User.active.find_by_id(access_token.resource_owner_id)
	118	user.oauth_scope = access_token.scopes.all.map(&:to_sym)
118	119	else
119	120	doorkeeper_render_error
120	121	end

     class Oauth2ApplicationsController < Doorkeeper::ApplicationsController
       private
       def application_params
         params[:doorkeeper_application] ||= {}
         params[:doorkeeper_application][:scopes] ||= []
         scopes = Redmine::AccessControl.public_permissions.map{|p| p.name.to_s}
         if params[:doorkeeper_application][:scopes].is_a?(Array)
           scopes |= params[:doorkeeper_application][:scopes]
         else
           scopes |= params[:doorkeeper_application][:scopes].split(/\s+/)
         end
         params[:doorkeeper_application][:scopes] = scopes.join(' ')
         super
       end
     end

       attr_accessor :password, :password_confirmation, :generate_password
       attr_accessor :last_before_login_on
       attr_accessor :remote_ip
       attr_writer   :oauth_scope
       # Prevents unauthorized assignments
       attr_protected :password, :password_confirmation, :hashed_password
-...
       def allowed_to?(action, context, options={}, &block)
         if context && context.is_a?(Project)
           return false unless context.allows_to?(action)
           # Admin users are authorized for anything else
           return true if admin?
           # Admin users are authorized for anything or what their oauth scope prescribes
           if admin? && @oauth_scope.present?
             Role.new(permissions: @oauth_scope).allowed_to?(action, @oauth_scope)
           elsif admin?
             return true
           end
           roles = roles_for_project(context)
           return false unless roles
           roles.any? {|role|
             (context.is_public? || role.member?) &&
             role.allowed_to?(action) &&
             role.allowed_to?(action, @oauth_scope) &&
             (block_given? ? yield(role, self) : true)
+          }
         elsif context && context.is_a?(Array)
-...
         elsif context
           raise ArgumentError.new("#allowed_to? context argument must be a Project, an Array of projects or nil")
         elsif options[:global]
           # Admin users are always authorized
           return true if admin?
           # Admin users are always authorized, only limited by their oauth scope
           if admin? && @oauth_scope.present?
             Role.new(permissions: @oauth_scope).allowed_to?(action, @oauth_scope)
           elsif admin?
             return true
           end
           # authorize if user has at least one role that has this permission
           roles = self.roles.to_a | [builtin_role]
           roles.any? {|role|
             role.allowed_to?(action) &&
             role.allowed_to?(action, @oauth_scope) &&
             (block_given? ? yield(role, self) : true)
+          }
         else

           <% end %>
         </em>
       </p>
     </div>
       <p>
         <%= f.text_field :scopes, :size => 60, :label => :'activerecord.attributes.doorkeeper/application.scopes'  %>
         <em class="info">
           <%= t('doorkeeper.applications.help.scopes') %>
         </em>
       </p>
     <h3><%= l(:'activerecord.attributes.doorkeeper/application.scopes') %></h3>
     <div class="box tabular" id="scopes">
     <% perms_by_module = Redmine::AccessControl.permissions.group_by {|p| p.project_module.to_s} %>
     <% perms_by_module.keys.sort.each do |mod| %>
         <fieldset><legend><%= mod.blank? ? l(:label_project) : l_or_humanize(mod, :prefix => 'project_module_') %></legend>
         <% perms_by_module[mod].each do |permission| %>
             <label class="floating">
             <%= check_box_tag 'doorkeeper_application[scopes][]', permission.name.to_s, (permission.public? || @application.scopes.include?( permission.name.to_s)),
                   :id => "doorkeeper_application_scopes_#{permission.name}",
                   :data => {:shows => ".#{permission.name}_shown"},
                   :disabled => permission.public? %>
             <%= l_or_humanize(permission.name, :prefix => 'permission_') %>
             </label>
         <% end %>
         </fieldset>
     <% end %>
     <br /><%= check_all_links 'scopes' %>
     <%= hidden_field_tag 'doorkeeper_application[scopes][]', '' %>
     </div>

       reuse_access_token
       realm           Redmine::Info.app_name
       base_controller 'ApplicationController'
       default_scopes  :public
       default_scopes  *Redmine::AccessControl.public_permissions.map(&:name)
       optional_scopes *Redmine::AccessControl.permissions.map(&:name)
       resource_owner_authenticator do
         if require_login

     Rails.application.routes.draw do
       use_doorkeeper
       use_doorkeeper do
         controllers :applications => 'oauth2_applications'
       end
       root :to => 'welcome#index'
       root :to => 'welcome#index', :as => 'home'

                 :html => {:class => 'icon icon-server-authentication'}
       menu.push :plugins, {:controller => 'admin', :action => 'plugins'}, :last => true,
                 :html => {:class => 'icon icon-plugins'}
       menu.push :applications, {:controller => 'doorkeeper/applications', :action => 'index'}, :last => true,
       menu.push :applications, {:controller => 'oauth2_applications', :action => 'index'}, :last => true,
                 :if => Proc.new { Setting.rest_api_enabled? },
                 :caption => :'doorkeeper.layouts.admin.nav.applications',
                 :html => {:class => 'icon icon-applications'}

Project

General

Profile

Redmine

Feature #24808 » 0006-Use-Redmine-s-permissions-as-OAuth2-scopes.patch