Allow oauth2 clients to exercise permissions independent to the user

4 years ago · 5eb0487c77
parent 3f2680671b
commit 5eb0487c77
2 changed files with 8 additions and 2 deletions
--- a/app/routing/middleware/api/Permission.middleware.js
+++ b/app/routing/middleware/api/Permission.middleware.js
@ -24,6 +24,11 @@ class PermissionMiddleware extends Middleware {
                    .message('Insufficient permissions (OAuth2 Client).')
                    .api()
            }
+
+            // If the oauth2 client has this permission, then allow the request to continue,
+            // even if the user does not.
+            // OAuth2Clients need to be able to query users via the API.
+            return next()
        }

        const policy_denied = await Policy.check_user_denied(req.user, check)
--- a/app/routing/middleware/auth/APIRoute.middleware.js
+++ b/app/routing/middleware/auth/APIRoute.middleware.js
@ -11,6 +11,7 @@ class APIRouteMiddleware extends Middleware {
            return next()
        } else if ( allow_token ) {
            if ( !req.oauth ) req.oauth = {}
+
            return req.app.oauth2.authorise()(req, res, async e => {
                if ( e ) return next(e)
                // Look up the OAuth2 client an inject it into the route
@ -52,9 +53,9 @@ class APIRouteMiddleware extends Middleware {

                next()
            })
+        } else {
+            return res.status(401).api()
        }
-
-        return res.status(401).api()
    }
 }