projects / arvados.git / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
12626: Check for scoped tokens.
[arvados.git] / services / api / app / controllers / arvados / v1 / users_controller.rb
diff --git a/services/api/app/controllers/arvados/v1/users_controller.rb b/services/api/app/controllers/arvados/v1/users_controller.rb
index 3b89067522a753c387bbe0d705bade83856b1990..3a2b347d28b31407f4bcc5b1f66faf311698f96e 100644 (file)
--- a/services/api/app/controllers/arvados/v1/users_controller.rb
+++ b/services/api/app/controllers/arvados/v1/users_controller.rb
@@ -128,6 +128,8 @@ class Arvados::V1::UsersController < ApplicationController
   def merge
     if !Thread.current[:api_client].andand.is_trusted
       return send_error("supplied API token is not from a trusted client", status: 403)
+    elsif Thread.current[:api_client_authorization].scopes != ['all']
+      return send_error("cannot merge with a scoped token", status: 403)
     end
 
     dst_auth = ApiClientAuthorization.validate(token: params[:new_user_token])
@@ -136,6 +138,8 @@ class Arvados::V1::UsersController < ApplicationController
     end
     if !dst_auth.api_client.andand.is_trusted
       return send_error("supplied new_user_token is not from a trusted client", status: 403)
+    elsif dst_auth.scopes != ['all']
+      return send_error("supplied new_user_token has restricted scope", status: 403)
     end
     dst_user = dst_auth.user