summaryrefslogtreecommitdiff
path: root/internal/api/util
diff options
context:
space:
mode:
Diffstat (limited to 'internal/api/util')
-rw-r--r--internal/api/util/scopes.go26
-rw-r--r--internal/api/util/scopes_test.go10
2 files changed, 32 insertions, 4 deletions
diff --git a/internal/api/util/scopes.go b/internal/api/util/scopes.go
index d02d3cc0d..8161de500 100644
--- a/internal/api/util/scopes.go
+++ b/internal/api/util/scopes.go
@@ -93,11 +93,29 @@ const (
// scope permits the wanted scope.
func (has Scope) Permits(wanted Scope) bool {
if has == wanted {
- // Exact match.
+ // Exact match on either a
+ // top-level or granular scope.
return true
}
- // Check if we have a parent scope of what's wanted,
- // eg., we have scope "admin", we want "admin:read".
- return strings.HasPrefix(string(wanted), string(has))
+ // Ensure we have a
+ // known top-level scope.
+ switch has {
+
+ case ScopeProfile,
+ ScopePush,
+ ScopeRead,
+ ScopeWrite,
+ ScopeAdmin,
+ ScopeAdminRead,
+ ScopeAdminWrite:
+ // Check if top-level includes wanted,
+ // eg., have "admin", want "admin:read".
+ return strings.HasPrefix(string(wanted), string(has)+":")
+
+ default:
+ // Unknown top-level scope,
+ // can't permit anything.
+ return false
+ }
}
diff --git a/internal/api/util/scopes_test.go b/internal/api/util/scopes_test.go
index bd533585b..72f6b57aa 100644
--- a/internal/api/util/scopes_test.go
+++ b/internal/api/util/scopes_test.go
@@ -89,6 +89,16 @@ func TestScopes(t *testing.T) {
WantsScope: util.ScopeWrite,
Expect: false,
},
+ {
+ HasScope: util.ScopeProfile,
+ WantsScope: util.ScopePush,
+ Expect: false,
+ },
+ {
+ HasScope: util.Scope("p"),
+ WantsScope: util.ScopePush,
+ Expect: false,
+ },
} {
res := test.HasScope.Permits(test.WantsScope)
if res != test.Expect {
generated by cgit v1.2.3 (git 2.46.0) at 2025-12-02 09:15:42 +0000