Allow oauth2 clients to exercise permissions independent to the user
This commit is contained in:
parent
3f2680671b
commit
5eb0487c77
@ -24,6 +24,11 @@ class PermissionMiddleware extends Middleware {
|
|||||||
.message('Insufficient permissions (OAuth2 Client).')
|
.message('Insufficient permissions (OAuth2 Client).')
|
||||||
.api()
|
.api()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// If the oauth2 client has this permission, then allow the request to continue,
|
||||||
|
// even if the user does not.
|
||||||
|
// OAuth2Clients need to be able to query users via the API.
|
||||||
|
return next()
|
||||||
}
|
}
|
||||||
|
|
||||||
const policy_denied = await Policy.check_user_denied(req.user, check)
|
const policy_denied = await Policy.check_user_denied(req.user, check)
|
||||||
|
@ -11,6 +11,7 @@ class APIRouteMiddleware extends Middleware {
|
|||||||
return next()
|
return next()
|
||||||
} else if ( allow_token ) {
|
} else if ( allow_token ) {
|
||||||
if ( !req.oauth ) req.oauth = {}
|
if ( !req.oauth ) req.oauth = {}
|
||||||
|
|
||||||
return req.app.oauth2.authorise()(req, res, async e => {
|
return req.app.oauth2.authorise()(req, res, async e => {
|
||||||
if ( e ) return next(e)
|
if ( e ) return next(e)
|
||||||
// Look up the OAuth2 client an inject it into the route
|
// Look up the OAuth2 client an inject it into the route
|
||||||
@ -52,10 +53,10 @@ class APIRouteMiddleware extends Middleware {
|
|||||||
|
|
||||||
next()
|
next()
|
||||||
})
|
})
|
||||||
}
|
} else {
|
||||||
|
|
||||||
return res.status(401).api()
|
return res.status(401).api()
|
||||||
}
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
module.exports = exports = APIRouteMiddleware
|
module.exports = exports = APIRouteMiddleware
|
||||||
|
Loading…
Reference in New Issue
Block a user