From: Tom Clegg <tclegg@veritasgenetics.com>
Date: Fri, 24 Nov 2017 06:10:56 +0000 (-0500)
Subject: 12627: Any token can permit scope, if acting as the right user.
X-Git-Tag: 1.1.2~49^2
X-Git-Url: https://git.arvados.org/arvados.git/commitdiff_plain/9c627105e9634249cd303f46c3b81ecdcbaead39

12627: Any token can permit scope, if acting as the right user.

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tclegg@veritasgenetics.com>
---

diff --git a/services/api/app/controllers/application_controller.rb b/services/api/app/controllers/application_controller.rb
index ba0efa7b53..6bdba7af89 100644
--- a/services/api/app/controllers/application_controller.rb
+++ b/services/api/app/controllers/application_controller.rb
@@ -365,7 +365,7 @@ class ApplicationController < ActionController::Base
   end
 
   def require_auth_scope
-    if @read_auths.empty? || @read_auths[0] != current_api_client_authorization
+    unless current_user && @read_auths.any? { |auth| auth.user.andand.uuid == current_user.uuid }
       if require_login != false
         send_error("Forbidden", status: 403)
       end
diff --git a/services/api/app/middlewares/arvados_api_token.rb b/services/api/app/middlewares/arvados_api_token.rb
index 1d477183f1..6a37631827 100644
--- a/services/api/app/middlewares/arvados_api_token.rb
+++ b/services/api/app/middlewares/arvados_api_token.rb
@@ -32,7 +32,7 @@ class ArvadosApiToken
     user = nil
     api_client = nil
     api_client_auth = nil
-    if request.get?
+    if request.get? || params["_method"] == 'GET'
       reader_tokens = params["reader_tokens"]
       if reader_tokens.is_a? String
         reader_tokens = SafeJSON.load(reader_tokens)