From: Paweł Chmielowski Date: Thu, 6 Oct 2016 08:59:31 +0000 (+0200) Subject: Make handling of oauth clauses be more consistent with other rules X-Git-Tag: 16.12~25^2~24 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=438dbc8bda36fcee672926a0692fdcd276c30727;p=ejabberd Make handling of oauth clauses be more consistent with other rules --- diff --git a/src/ejabberd_access_permissions.erl b/src/ejabberd_access_permissions.erl index ac023b3f2..3b88e6ade 100644 --- a/src/ejabberd_access_permissions.erl +++ b/src/ejabberd_access_permissions.erl @@ -267,15 +267,18 @@ matches_definition({_Name, {From, Who, What}}, Cmd, Module, Host, CallerInfo) -> acl:access_matches(Access, CallerInfo, Host) == allow; ({acl, _} = Acl) when Scope == none -> acl:acl_rule_matches(Acl, CallerInfo, Host); - ({oauth, List}) when Scope /= none -> - lists:all( - fun({access, Access}) -> - acl:access_matches(Access, CallerInfo, Host) == allow; - ({acl, _} = Acl) -> - acl:acl_rule_matches(Acl, CallerInfo, Host); - ({scope, Scopes}) -> - ejabberd_oauth:scope_in_scope_list(Scope, Scopes) - end, List); + ({oauth, Scopes, List}) when Scope /= none -> + case ejabberd_oauth:scope_in_scope_list(Scope, Scopes) of + true -> + lists:any( + fun({access, Access}) -> + acl:access_matches(Access, CallerInfo, Host) == allow; + ({acl, _} = Acl) -> + acl:acl_rule_matches(Acl, CallerInfo, Host) + end, List); + _ -> + false + end; (_) -> false end, Who); @@ -370,7 +373,18 @@ parse_who(Name, Defs, ParseOauth) when is_list(Defs) -> ([{oauth, OauthList}]) when is_list(OauthList) -> case ParseOauth of oauth -> - {oauth, parse_who(Name, lists:flatten(OauthList), scope)}; + Nested = parse_who(Name, lists:flatten(OauthList), scope), + {Scopes, Rest} = lists:partition( + fun({scope, _}) -> true; + (_) -> false + end, Nested), + case Scopes of + [] -> + report_error(<<"Oauth rule must contain at least one scope rule in 'who' section for api_permission '~s'">>, + [Name]); + _ -> + {oauth, lists:foldl(fun({scope, S}, A) -> S ++ A end, [], Scopes), Rest} + end; scope -> report_error(<<"Oauth rule can't be embeded inside other oauth rule in 'who' section for api_permission '~s'">>, [Name])