ropb implementation #137

2025-11-08 07:49:49 +01:00 · 2025-11-07 18:46:55 +01:00
parent bfd50e3cd5
commit c09f133652
2 changed files with 100 additions and 10 deletions
--- a/apps/permission/scopes.py
+++ b/apps/permission/scopes.py
@@ -107,6 +107,39 @@ class PermissionOAuth2Validator(OAuth2Validator):
        request.scopes = valid_scopes
        return valid_scopes

+    def validate_ropb_scopes(self, client_id, scopes, client, request, *args, **kwargs):
+        """
+        For ROPB valid scopes are scope of the user
+        """
+        valid_scopes = set()
+        request.oauth2 = {}
+        request.oauth2['user'] = request.user
+        request.oauth2['user'].is_anomymous = False
+        request.oauth2['scope'] = scopes
+        # mask implementation
+        if hasattr(request.decoded_body, 'mask'):
+            try:
+                request.oauth2['mask'] = int(request.decoded_body['mask'])
+            except ValueError:
+                request.oauth2['mask'] = 42
+        else:
+            request.oauth2['mask'] = 42
+
+        for t in Permission.PERMISSION_TYPES:
+            for p in PermissionBackend.get_raw_permissions(request, t[0]):
+                scope = f"{p.id}_{p.membership.club.id}"
+                if scope in scopes:
+                    valid_scopes.add(scope)
+
+        # Always give one scope to generate token
+        if not valid_scopes:
+            valid_scopes.add('0_0')
+
+        request.scopes = valid_scopes
+        return valid_scopes
+
+
+
    def validate_scopes(self, client_id, scopes, client, request, *args, **kwargs):
        """
        User can request as many scope as he wants, including invalid scopes,
@@ -117,16 +150,14 @@ class PermissionOAuth2Validator(OAuth2Validator):
        """

        valid_scopes = set()
-
        if hasattr(request, 'grant_type') and request.grant_type == 'client_credentials':
            return self.validate_client_credentials_scopes(client_id, scopes, client, request, args, kwargs)
+        if hasattr(request, 'grant_type') and request.grant_type == 'password':
+            return self.validate_ropb_scopes(client_id, scopes, client, request, args, kwargs)
+

-        # simple patch for have functionnal ROPB flow
-        # TODO rewrite
-        r = get_current_request()
-        r.user = request.user
        for t in Permission.PERMISSION_TYPES:
-            for p in PermissionBackend.get_raw_permissions(r, t[0]):
+            for p in PermissionBackend.get_raw_permissions(get_current_request(), t[0]):
                scope = f"{p.id}_{p.membership.club.id}"
                if scope in scopes:
                    valid_scopes.add(scope)