User scope objects everywhere. Switch scope objects to namedtuples. Pass the user when validating whether the user has authorized such scopes in the past. Make sure we calculate the scope string using all user scopes form all previously granted tokens.
This commit is contained in:
jakedt
parent
c93c62600d
commit
3b7b12085d
6 changed files with 103 additions and 76 deletions
|
|
@ -277,7 +277,8 @@ def request_authorization_code():
|
|||
redirect_uri = request.args.get('redirect_uri', None)
|
||||
scope = request.args.get('scope', None)
|
||||
|
||||
if not provider.validate_has_scopes(client_id, scope):
|
||||
if (not current_user.is_authenticated() or
|
||||
not provider.validate_has_scopes(client_id, current_user.db_user().username, scope)):
|
||||
if not provider.validate_redirect_uri(client_id, redirect_uri):
|
||||
abort(404)
|
||||
return
|
||||
|
|
|
|||
Reference in a new issue