Merge remote-tracking branch 'upstream/pull/3300'

app/controllers/application_controller.rb

@@ -395,4 +395,10 @@ def safe_referer(referer)
 
     referer.to_s
   end
+
+  def scope_enabled?(scope)
+    doorkeeper_token&.includes_scope?(scope) || current_token&.includes_scope?(scope)
+  end
+
+  helper_method :scope_enabled?
 end

app/controllers/oauth2_applications_controller.rb

@@ -20,8 +20,8 @@ def set_application
   end
 
   def application_params
-    params[:doorkeeper_application][:scopes]&.delete("")
-    params.require(:doorkeeper_application)
+    params[:oauth2_application][:scopes]&.delete("")
+    params.require(:oauth2_application)
           .permit(:name, :redirect_uri, :confidential, :scopes => [])
           .merge(:owner => current_resource_owner)
   end

app/models/oauth2_application.rb

@@ -0,0 +1,13 @@
+class Oauth2Application < Doorkeeper::Application
+  belongs_to :owner, :polymorphic => true
+
+  validate :allowed_scopes
+
+  private
+
+  def allowed_scopes
+    return if owner.administrator?
+
+    errors.add(:scopes) if scopes.any? { |scope| Oauth::PRIVILEGED_SCOPES.include?(scope) }
+  end
+end

app/views/api/users/_user.json.jbuilder

@@ -65,5 +65,7 @@ json.user do
         json.count user.sent_messages.size
       end
     end
+
+    json.email user.email if scope_enabled?(:read_email)
   end
 end

app/views/api/users/_user.xml.builder

@@ -40,5 +40,6 @@ xml.tag! "user", :id => user.id,
                            :unread => user.new_messages.size
       xml.tag! "sent", :count => user.sent_messages.size
     end
+    xml.tag! "email", user.email if scope_enabled?(:read_email)
   end
 end

app/views/oauth2_applications/_form.html.erb

@@ -3,5 +3,5 @@
 <%= f.form_group :confidential do %>
   <%= f.check_box :confidential %>
 <% end %>
-<%= f.collection_check_boxes :scopes, Oauth.scopes, :name, :description %>
+<%= f.collection_check_boxes :scopes, Oauth.scopes(:privileged => current_user.administrator?), :name, :description %>
 <%= f.primary %>

config/initializers/doorkeeper.rb

@@ -48,6 +48,8 @@
   #   end
   # end
 
+  application_class "Oauth2Application"
+
   # Enables polymorphic Resource Owner association for Access Tokens and Access Grants.
   # By default this option is disabled.
   #
@@ -221,7 +223,7 @@
   # https://doorkeeper.gitbook.io/guides/ruby-on-rails/scopes
 
   # default_scopes  :public
-  optional_scopes(*Oauth::SCOPES)
+  optional_scopes(*Oauth::SCOPES, *Oauth::PRIVILEGED_SCOPES)
 
   # Allows to restrict only certain scopes for grant_type.
   # By default, all the scopes will be available for all the grant types.
@@ -417,10 +419,10 @@
   # Under some circumstances you might want to have applications auto-approved,
   # so that the user skips the authorization step.
   # For example if dealing with a trusted application.
-  #
-  # skip_authorization do |resource_owner, client|
-  #   client.superapp? or resource_owner.admin?
-  # end
+
+  skip_authorization do |_, client|
+    client.scopes.include?("skip_authorization")
+  end
 
   # Configure custom constraints for the Token Introspection request.
   # By default this configuration option allows to introspect a token by another

config/locales/en.yml

@@ -2367,6 +2367,8 @@ en:
       read_gpx: Read private GPS traces
       write_gpx: Upload GPS traces
       write_notes: Modify notes
+      read_email: Read user email address
+      skip_authorization: Auto approve application
   oauth_clients:
     new:
       title: "Register a new application"

lib/oauth.rb

@@ -1,5 +1,6 @@
 module Oauth
   SCOPES = %w[read_prefs write_prefs write_diary write_api read_gpx write_gpx write_notes].freeze
+  PRIVILEGED_SCOPES = %w[read_email skip_authorization].freeze
 
   class Scope
     attr_reader :name
@@ -13,7 +14,9 @@ def description
     end
   end
 
-  def self.scopes
-    SCOPES.collect { |s| Scope.new(s) }
+  def self.scopes(privileged: false)
+    scopes = SCOPES
+    scopes += PRIVILEGED_SCOPES if privileged
+    scopes.collect { |s| Scope.new(s) }
   end
 end