From a152704ac08abf18e2e1e0bb531b100728e5cae2 Mon Sep 17 00:00:00 2001
From: Jonathan Weth <git@jonathanweth.de>
Date: Sat, 23 Apr 2022 19:58:03 +0200
Subject: [PATCH] Reject access if there are no allowed_scopes set
 (ClientProtectedResourceMixin)

---
 CHANGELOG.rst                     | 2 ++
 aleksis/core/util/auth_helpers.py | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index c2a9e2cfa..00bf1078c 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -26,6 +26,8 @@ Fixed
 * Due to a merge error, the once removed account menu in the sidenav appeared again.
 * Scheduled notifications were shown on dashboard before time.
 * Remove broken notifications menu item in favor of item next to account menu.
+* [OAuth2] Resources which are protected with client credentials 
+  allowed access even if there were not allowed scopes set.
 
 Changed
 ~~~~~~~
diff --git a/aleksis/core/util/auth_helpers.py b/aleksis/core/util/auth_helpers.py
index 6edfac833..ca80aeae4 100644
--- a/aleksis/core/util/auth_helpers.py
+++ b/aleksis/core/util/auth_helpers.py
@@ -134,6 +134,10 @@ class ClientProtectedResourceMixin(_ClientProtectedResourceMixin):
         # Verify scopes of configured application
         # The OAuth request was enriched with a reference to the Application when using the
         #  validator above.
+        if not oauth_request.client.allowed_scopes:
+            # If there are no allowed scopes, the client is not allowed to access this resource
+            return False
+
         required_scopes = set(self.get_scopes() or [])
         allowed_scopes = set(AppScopes().get_available_scopes(oauth_request.client) or [])
         return required_scopes.issubset(allowed_scopes)
-- 
GitLab