Reject access if there are no allowed_scopes set (ClientProtectedResourceMixin)

a152704a · Jonathan Weth · 14262ec4 · a152704a · a152704a
Verified Commit a152704a authored 2 years ago by Jonathan Weth
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -26,6 +26,8 @@ Fixed
 * Due to a merge error, the once removed account menu in the sidenav appeared again.
 * Scheduled notifications were shown on dashboard before time.
 * Remove broken notifications menu item in favor of item next to account menu.
+* [OAuth2] Resources which are protected with client credentials 
+  allowed access even if there were not allowed scopes set.

 Changed
 ~~~~~~~

--- a/aleksis/core/util/auth_helpers.py
+++ b/aleksis/core/util/auth_helpers.py
@@ -134,6 +134,10 @@ class ClientProtectedResourceMixin(_ClientProtectedResourceMixin):
        # Verify scopes of configured application
        # The OAuth request was enriched with a reference to the Application when using the
        #  validator above.
+        if not oauth_request.client.allowed_scopes:
+            # If there are no allowed scopes, the client is not allowed to access this resource
+            return False
+
        required_scopes = set(self.get_scopes() or [])
        allowed_scopes = set(AppScopes().get_available_scopes(oauth_request.client) or [])
        return required_scopes.issubset(allowed_scopes)