Introduce privileged scopes that only an administrator can enable

[rails.git] / app / models / oauth2_application.rb

diff --git a/app/models/oauth2_application.rb b/app/models/oauth2_application.rb
new file mode 100644 (file)
index 0000000..1657615
--- /dev/null
+++ b/app/models/oauth2_application.rb
@@ -0,0 +1,13 @@
+class Oauth2Application < Doorkeeper::Application
+  belongs_to :owner, :polymorphic => true
+
+  validate :allowed_scopes
+
+  private
+
+  def allowed_scopes
+    return if owner.administrator?
+
+    errors.add(:scopes) if scopes.any? { |scope| Oauth::PRIVILEGED_SCOPES.include?(scope) }
+  end
+end