12627: Any token can permit scope, if acting as the right user.

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg@veritasgenetics.com>

diff --git a/services/api/app/controllers/application_controller.rb b/services/api/app/controllers/application_controller.rb
index ba0efa7b537c30bd4ad1e74b10932fde3f8533cd..6bdba7af89d803975faa40f50d6508ab0b25d953 100644 (file)
--- a/services/api/app/controllers/application_controller.rb
+++ b/services/api/app/controllers/application_controller.rb
@@ -365,7 +365,7 @@ class ApplicationController < ActionController::Base
   end
 
   def require_auth_scope
-    if @read_auths.empty? || @read_auths[0] != current_api_client_authorization
+    unless current_user && @read_auths.any? { |auth| auth.user.andand.uuid == current_user.uuid }
       if require_login != false
         send_error("Forbidden", status: 403)
       end

diff --git a/services/api/app/middlewares/arvados_api_token.rb b/services/api/app/middlewares/arvados_api_token.rb
index 1d477183f1f37f4907adad745bdbbb3de6da48ac..6a376318271472db857db6b926ba90d4d8262244 100644 (file)
--- a/services/api/app/middlewares/arvados_api_token.rb
+++ b/services/api/app/middlewares/arvados_api_token.rb
@@ -32,7 +32,7 @@ class ArvadosApiToken
     user = nil
     api_client = nil
     api_client_auth = nil
-    if request.get?
+    if request.get? || params["_method"] == 'GET'
       reader_tokens = params["reader_tokens"]
       if reader_tokens.is_a? String
         reader_tokens = SafeJSON.load(reader_tokens)