summaryrefslogtreecommitdiff
path: root/internal/api/util/scopes.go
diff options
context:
space:
mode:
Diffstat (limited to 'internal/api/util/scopes.go')
-rw-r--r--internal/api/util/scopes.go26
1 files changed, 22 insertions, 4 deletions
diff --git a/internal/api/util/scopes.go b/internal/api/util/scopes.go
index d02d3cc0d..8161de500 100644
--- a/internal/api/util/scopes.go
+++ b/internal/api/util/scopes.go
@@ -93,11 +93,29 @@ const (
// scope permits the wanted scope.
func (has Scope) Permits(wanted Scope) bool {
if has == wanted {
- // Exact match.
+ // Exact match on either a
+ // top-level or granular scope.
return true
}
- // Check if we have a parent scope of what's wanted,
- // eg., we have scope "admin", we want "admin:read".
- return strings.HasPrefix(string(wanted), string(has))
+ // Ensure we have a
+ // known top-level scope.
+ switch has {
+
+ case ScopeProfile,
+ ScopePush,
+ ScopeRead,
+ ScopeWrite,
+ ScopeAdmin,
+ ScopeAdminRead,
+ ScopeAdminWrite:
+ // Check if top-level includes wanted,
+ // eg., have "admin", want "admin:read".
+ return strings.HasPrefix(string(wanted), string(has)+":")
+
+ default:
+ // Unknown top-level scope,
+ // can't permit anything.
+ return false
+ }
}
generated by cgit v1.2.3 (git 2.46.0) at 2025-12-02 06:55:20 +0000