token access

apps/permission/scopes.py

@@ -54,7 +54,7 @@ class PermissionScopes(BaseScopes):
             return []
         scopes = [f"{p.id}_{p.membership.club.id}"
                   for p in PermissionBackend.get_raw_permissions(get_current_request(), 'view')]
-        scopes = ['0_0']
+        scopes = ['0_0']  # always default
         return scopes
 
 
@@ -143,36 +143,6 @@ class PermissionOAuth2Validator(OAuth2Validator):
         request.scopes = valid_scopes
         return valid_scopes
 
-    def validate_code_scopes(self, client_id, scopes, client, request, *args, **kwargs):
-        """
-        For Authorization Code scope are scope of the user
-        """
-        valid_scopes = set()
-        req = get_current_request()
-        request.oauth2 = {}
-        request.oauth2['user'] = req.user
-        request.oauth2['scope'] = scopes
-        # mask implementation
-        request.oauth2['mask'] = req.session.load()['permission_mask']
-
-        for t in Permission.PERMISSION_TYPES:
-            for p in PermissionBackend.get_raw_permissions(request, t[0]):
-                scope = f"{p.id}_{p.membership.club.id}"
-                if scope in scopes:
-                    valid_scopes.add(scope)
-
-        # Always give one scope to generate token
-        if not valid_scopes:
-            valid_scopes.add('0_0')
-        request.scopes = valid_scopes
-        return valid_scopes
-
-    def validate_implicit_scopes(self, client_id, scopes, client, request, *args, **kwargs):
-        """
-        Implicit flow it's just degraded Authorization flow
-        """
-        return self.validate_code_scopes(client_id, scopes, client, request, args, kwargs)
-
     def validate_scopes(self, client_id, scopes, client, request, *args, **kwargs):
         """
         User can request as many scope as he wants, including invalid scopes,
@@ -187,19 +157,28 @@ class PermissionOAuth2Validator(OAuth2Validator):
         if hasattr(request, 'grant_type') and request.grant_type == 'password':
             return self.validate_ropb_scopes(client_id, scopes, client, request, args, kwargs)
 
-        if hasattr(request, '_params') and request._params['response_type'] == 'code':
-            return self.validate_code_scopes(client_id, scopes, client, request, args, kwargs)
+        # Authorization code and Implicit are the same for scope, OIDC it's only a layer
 
-        if hasattr(request, '_params') and request._params['response_type'] == 'token':
-            return self.validate_implicit_scopes(client_id, scopes, client, request, args, kwargs)
+        valid_scopes = set()
+        req = get_current_request()
+        request.oauth2 = {}
+        request.oauth2['user'] = req.user
+        request.oauth2['scope'] = scopes
+        # mask implementation
+        request.oauth2['mask'] = req.session.load()['permission_mask']
 
         for t in Permission.PERMISSION_TYPES:
-            for p in PermissionBackend.get_raw_permissions(get_current_request(), t[0]):
+            for p in PermissionBackend.get_raw_permissions(request, t[0]):
                 scope = f"{p.id}_{p.membership.club.id}"
                 if scope in scopes:
                     valid_scopes.add(scope)
 
-        if '0_0' in scopes:
+        # We grant openid scope if user is active
+        if 'openid' in scopes and req.user.is_active:
+            valid_scopes.add('openid')
+
+        # Always give one scope to generate token
+        if not valid_scopes:
             valid_scopes.add('0_0')
 
         request.scopes = valid_scopes