Only show granted permissions in the authorized application list

Fixes #4124

diff --git a/app/models/oauth2_application.rb b/app/models/oauth2_application.rb
index 16576152026328a3c750c43b62eb172ee358d7d6..73a02417da5223802459d4e75c50f1eb2206f92c 100644 (file)
--- a/app/models/oauth2_application.rb
+++ b/app/models/oauth2_application.rb
@@ -3,6 +3,10 @@ class Oauth2Application < Doorkeeper::Application
 
   validate :allowed_scopes
 
+  def authorized_scopes_for(user)
+    authorized_tokens.where(:resource_owner_id => user).sum(Doorkeeper::OAuth::Scopes.new, &:scopes)
+  end
+
   private
 
   def allowed_scopes

diff --git a/app/views/oauth2_authorized_applications/_application.html.erb b/app/views/oauth2_authorized_applications/_application.html.erb
index 7cb03de2f13022922cbd79f663370d49dc742c48..8abbb26ed8bb46e83e7830d7d2c97f3f979a96b8 100644 (file)
--- a/app/views/oauth2_authorized_applications/_application.html.erb
+++ b/app/views/oauth2_authorized_applications/_application.html.erb
@@ -4,7 +4,7 @@
   </td>
   <td class="align-middle">
     <ul class="list-unstyled mb-0">
-      <% application.scopes.each do |scope| -%>
+      <% application.authorized_scopes_for(current_user).each do |scope| -%>
         <li><%= t "oauth.scopes.#{scope}" %></li>
       <% end -%>
     </ul>

diff --git a/test/controllers/oauth2_authorized_applications_controller_test.rb b/test/controllers/oauth2_authorized_applications_controller_test.rb
index 347d3e40e4a27049c00ed9e2f49a1e212f1a4bda..c01f7d6f325c55e8a2bbd33d09ce29cb03163911 100644 (file)
--- a/test/controllers/oauth2_authorized_applications_controller_test.rb
+++ b/test/controllers/oauth2_authorized_applications_controller_test.rb
@@ -36,6 +36,32 @@ class Oauth2AuthorizedApplicationsControllerTest < ActionDispatch::IntegrationTe
     assert_select "tbody tr", 2
   end
 
+  def test_index_scopes
+    user = create(:user)
+    application1 = create(:oauth_application, :scopes => %w[read_prefs write_prefs write_diary read_gpx write_gpx])
+    create(:oauth_access_grant, :resource_owner_id => user.id, :application => application1, :scopes => %w[read_prefs write_prefs])
+    create(:oauth_access_token, :resource_owner_id => user.id, :application => application1, :scopes => %w[read_prefs write_prefs])
+    create(:oauth_access_grant, :resource_owner_id => user.id, :application => application1, :scopes => %w[read_prefs write_diary])
+    create(:oauth_access_token, :resource_owner_id => user.id, :application => application1, :scopes => %w[read_prefs write_diary])
+
+    get oauth_authorized_applications_path
+    assert_response :redirect
+    assert_redirected_to login_path(:referer => oauth_authorized_applications_path)
+
+    session_for(user)
+
+    get oauth_authorized_applications_path
+    assert_response :success
+    assert_template "oauth2_authorized_applications/index"
+    assert_select "tbody tr", 1
+    assert_select "tbody tr td ul" do
+      assert_select "li", :count => 3
+      assert_select "li", :text => "Read user preferences"
+      assert_select "li", :text => "Modify user preferences"
+      assert_select "li", :text => "Create diary entries, comments and make friends"
+    end
+  end
+
   def test_destroy
     user = create(:user)
     application1 = create(:oauth_application)