diff --git a/auth/scopes.py b/auth/scopes.py index 52ebda6d7..c41ad7033 100644 --- a/auth/scopes.py +++ b/auth/scopes.py @@ -43,6 +43,15 @@ READ_USER = Scope(scope= 'user:read', description=('This application will be able to read user information such as ' 'username and email address.')) +ADMIN_USER = Scope(scope= 'user:admin', + icon='fa-gear', + dangerous=True, + title='Administer User', + description=('This application will be able to administer your account ' + 'including creating robots and granting them permissions ' + 'to your repositories. You should have absolute trust in the ' + 'requesting application before granting this permission.')) + ORG_ADMIN = Scope(scope='org:admin', icon='fa-gear', dangerous=True, @@ -71,7 +80,7 @@ SUPERUSER = Scope(scope='super:user', 'permission.')) ALL_SCOPES = {scope.scope: scope for scope in (READ_REPO, WRITE_REPO, ADMIN_REPO, CREATE_REPO, - READ_USER, ORG_ADMIN, SUPERUSER)} + READ_USER, ORG_ADMIN, SUPERUSER, ADMIN_USER)} IMPLIED_SCOPES = { ADMIN_REPO: {ADMIN_REPO, WRITE_REPO, READ_REPO}, @@ -81,6 +90,7 @@ IMPLIED_SCOPES = { READ_USER: {READ_USER}, ORG_ADMIN: {ORG_ADMIN}, SUPERUSER: {SUPERUSER}, + ADMIN_USER: {ADMIN_USER}, None: set(), } diff --git a/endpoints/api/__init__.py b/endpoints/api/__init__.py index fe8d73e6d..9a9adf53d 100644 --- a/endpoints/api/__init__.py +++ b/endpoints/api/__init__.py @@ -306,8 +306,7 @@ def require_user_permission(permission_class, scope=None): require_user_read = require_user_permission(UserReadPermission, scopes.READ_USER) -require_user_admin = require_user_permission(UserAdminPermission, None) -require_fresh_user_admin = require_user_permission(UserAdminPermission, None) +require_user_admin = require_user_permission(UserAdminPermission, scopes.ADMIN_USER) def verify_not_prod(func):