Allow oauth2 clients to exercise permissions independent to the user

app/routing/middleware/api/Permission.middleware.js

@@ -17,13 +17,18 @@ class PermissionMiddleware extends Middleware {
                     req,
                     reason,
                     check,
-                    oauth_client_id: req.oauth.client.id,
+                    oauth_client_id: req.oauth.client.uuid,
                 })
 
                 return res.status(401)
                     .message('Insufficient permissions (OAuth2 Client).')
                     .api()
             }
+
+            // If the oauth2 client has this permission, then allow the request to continue,
+            // even if the user does not.
+            // OAuth2Clients need to be able to query users via the API.
+            return next()
         }
 
         const policy_denied = await Policy.check_user_denied(req.user, check)

app/routing/middleware/auth/APIRoute.middleware.js

@@ -7,10 +7,11 @@ class APIRouteMiddleware extends Middleware {
 
     async test(req, res, next, { allow_token = true, allow_user = true }) {
         // First, check if there is a user in the session.
-        if ( allow_user && req.is_auth ) {
+        if ( allow_user && req.user ) {
             return next()
         } else if ( allow_token ) {
             if ( !req.oauth ) req.oauth = {}
+
             return req.app.oauth2.authorise()(req, res, async e => {
                 if ( e ) return next(e)
                 // Look up the OAuth2 client an inject it into the route
@@ -52,9 +53,9 @@ class APIRouteMiddleware extends Middleware {
 
                 next()
             })
+        } else {
+            return res.status(401).api()
         }
-
-        return res.status(401).api()
     }
 }