Authorization Code Flow #137

2025-11-12 09:39:28 +01:00 · 2025-11-08 23:12:42 +01:00
parent c09f133652
commit 54d28b30e5
2 changed files with 206 additions and 29 deletions
--- a/apps/permission/scopes.py
+++ b/apps/permission/scopes.py
@@ -54,7 +54,7 @@ class PermissionScopes(BaseScopes):
            return []
        scopes = [f"{p.id}_{p.membership.club.id}"
                  for p in PermissionBackend.get_raw_permissions(get_current_request(), 'view')]
-        scopes.append('0_0')
+        scopes = ['0_0']
        return scopes


@@ -138,7 +138,29 @@ class PermissionOAuth2Validator(OAuth2Validator):
        request.scopes = valid_scopes
        return valid_scopes

+    def validate_code_scopes(self, client_id, scopes, client, request, *args, **kwargs):
+        """
+        For Authorization Code scope are scope of the user
+        """
+        valid_scopes = set()
+        req = get_current_request()
+        request.oauth2 = {}
+        request.oauth2['user'] = req.user
+        request.oauth2['scope'] = scopes
+        # mask implementation
+        request.oauth2['mask'] = req.session.load()['permission_mask']

+        for t in Permission.PERMISSION_TYPES:
+            for p in PermissionBackend.get_raw_permissions(request, t[0]):
+                scope = f"{p.id}_{p.membership.club.id}"
+                if scope in scopes:
+                    valid_scopes.add(scope)
+
+        # Always give one scope to generate token
+        if not valid_scopes:
+            valid_scopes.add('0_0')
+        request.scopes = valid_scopes
+        return valid_scopes

    def validate_scopes(self, client_id, scopes, client, request, *args, **kwargs):
        """
@@ -148,13 +170,14 @@ class PermissionOAuth2Validator(OAuth2Validator):
        This allows clients to request more permission to get finally a
        subset of permissions.
        """
-
        valid_scopes = set()
        if hasattr(request, 'grant_type') and request.grant_type == 'client_credentials':
            return self.validate_client_credentials_scopes(client_id, scopes, client, request, args, kwargs)
        if hasattr(request, 'grant_type') and request.grant_type == 'password':
            return self.validate_ropb_scopes(client_id, scopes, client, request, args, kwargs)

+        if hasattr(request, '_params') and request._params['response_type'] == 'code':
+            return self.validate_code_scopes(client_id, scopes, client, request, args, kwargs)

        for t in Permission.PERMISSION_TYPES:
            for p in PermissionBackend.get_raw_permissions(get_current_request(), t[0]):