Change: username/password authentication with no scope results in

access token with default scope. Makes like easier for everyone.
demandforce · Nov 30, 2010 · 96fdb6a · 96fdb6a
1 parent c39b3f7
commit 96fdb6a
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 7 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,3 +1,9 @@
+2010-11-30 version 2.0.1
+
+Change: username/password authentication with no scope results in access token
+with default scope. Makes like easier for everyone.
+
+
 2010-11-23 version 2.0.0
 
 MAJOR CHANGE:

diff --git a/README.rdoc b/README.rdoc
@@ -417,7 +417,7 @@ You can set the following options:
 - +scope+ -- Common scope shown and added by default to new clients (array of
   names, e.g. ["read", "write"]).
 
-== Web Admin API
+=== Web Admin API
 
 The OAuth Web admin is a single-page client application that operates by
 accessing the OAuth API. The API is mounted at /oauth/admin/api (basically /api

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-2.0.0
+2.0.1
diff --git a/lib/rack/oauth2/server.rb b/lib/rack/oauth2/server.rb
@@ -354,7 +354,7 @@ def respond_with_access_token(request, logger)
             # 4.1.2.  Resource Owner Password Credentials
             username, password = request.POST.values_at("username", "password")
             raise InvalidGrantError, "Missing username/password" unless username && password
-            requested_scope = Utils.normalize_scope(request.POST["scope"])
+            requested_scope = request.POST["scope"] ? Utils.normalize_scope(request.POST["scope"]) : client.scope
             allowed_scope = client.scope
             raise InvalidScopeError unless (requested_scope - allowed_scope).empty?
             args = [username, password]

diff --git a/test/oauth/access_grant_test.rb b/test/oauth/access_grant_test.rb
@@ -76,9 +76,10 @@ def request_access_token(changes = nil)
     post "/oauth/access_token", params
   end
 
-  def request_with_username_password(username, password, scope = "read write")
+  def request_with_username_password(username, password, scope = nil)
     basic_authorize client.id, client.secret
-    params = { :grant_type=>"password", :scope=>scope }
+    params = { :grant_type=>"password" }
+    params[:scope] = scope if scope
     params[:username] = username if username
     params[:password] = password if password
     post "/oauth/access_token", params
@@ -211,8 +212,13 @@ def request_with_username_password(username, password, scope = "read write")
   end
 
   context "no scope specified" do
-    setup { request_with_username_password "cowbell", "more", nil }
-    should_respond_with_access_token nil
+    setup { request_with_username_password "cowbell", "more" }
+    should_respond_with_access_token "oauth-admin read write"
+  end
+
+  context "given scope" do
+    setup { request_with_username_password "cowbell", "more", "read" }
+    should_respond_with_access_token "read"
   end
 
   context "unsupported scope" do