Only show granted permissions in the authorized application list

Fixes openstreetmap#4124
tomhughes · Jul 30, 2023 · c376962 · c376962
1 parent 60f42ed
commit c376962
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 1 deletion.
diff --git a/app/models/oauth2_application.rb b/app/models/oauth2_application.rb
@@ -3,6 +3,10 @@ class Oauth2Application < Doorkeeper::Application
 
   validate :allowed_scopes
 
+  def authorized_scopes_for(user)
+    authorized_tokens.where(:resource_owner_id => user).sum(Doorkeeper::OAuth::Scopes.new, &:scopes)
+  end
+
   private
 
   def allowed_scopes

diff --git a/app/views/oauth2_authorized_applications/_application.html.erb b/app/views/oauth2_authorized_applications/_application.html.erb
@@ -4,7 +4,7 @@
   </td>
   <td class="align-middle">
     <ul class="list-unstyled mb-0">
-      <% application.scopes.each do |scope| -%>
+      <% application.authorized_scopes_for(current_user).each do |scope| -%>
         <li><%= t "oauth.scopes.#{scope}" %></li>
       <% end -%>
     </ul>

diff --git a/test/controllers/oauth2_authorized_applications_controller_test.rb b/test/controllers/oauth2_authorized_applications_controller_test.rb
@@ -36,6 +36,32 @@ def test_index
     assert_select "tbody tr", 2
   end
 
+  def test_index_scopes
+    user = create(:user)
+    application1 = create(:oauth_application, :scopes => %w[read_prefs write_prefs write_diary read_gpx write_gpx])
+    create(:oauth_access_grant, :resource_owner_id => user.id, :application => application1, :scopes => %w[read_prefs write_prefs])
+    create(:oauth_access_token, :resource_owner_id => user.id, :application => application1, :scopes => %w[read_prefs write_prefs])
+    create(:oauth_access_grant, :resource_owner_id => user.id, :application => application1, :scopes => %w[read_prefs write_diary])
+    create(:oauth_access_token, :resource_owner_id => user.id, :application => application1, :scopes => %w[read_prefs write_diary])
+
+    get oauth_authorized_applications_path
+    assert_response :redirect
+    assert_redirected_to login_path(:referer => oauth_authorized_applications_path)
+
+    session_for(user)
+
+    get oauth_authorized_applications_path
+    assert_response :success
+    assert_template "oauth2_authorized_applications/index"
+    assert_select "tbody tr", 1
+    assert_select "tbody tr td ul" do
+      assert_select "li", :count => 3
+      assert_select "li", :text => "Read user preferences"
+      assert_select "li", :text => "Modify user preferences"
+      assert_select "li", :text => "Create diary entries, comments and make friends"
+    end
+  end
+
   def test_destroy
     user = create(:user)
     application1 = create(:oauth_application)