From f4d1d97848306e71b6525c58f2e5691b8aa686b7 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Fri, 30 Jul 2021 22:39:39 +0100
Subject: [PATCH] Add a privileged scope that allows email addresses to be
 returned

---
 app/controllers/application_controller.rb | 6 ++++++
 app/views/api/users/_user.json.jbuilder   | 2 ++
 app/views/api/users/_user.xml.builder     | 1 +
 config/locales/en.yml                     | 1 +
 lib/oauth.rb                              | 2 +-
 5 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 0884964ed..517b11e14 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -395,4 +395,10 @@ class ApplicationController < ActionController::Base
 
     referer.to_s
   end
+
+  def scope_enabled?(scope)
+    doorkeeper_token&.includes_scope?(scope) || current_token&.includes_scope?(scope)
+  end
+
+  helper_method :scope_enabled?
 end
diff --git a/app/views/api/users/_user.json.jbuilder b/app/views/api/users/_user.json.jbuilder
index 8423353dd..7659e4e11 100644
--- a/app/views/api/users/_user.json.jbuilder
+++ b/app/views/api/users/_user.json.jbuilder
@@ -65,5 +65,7 @@ json.user do
         json.count user.sent_messages.size
       end
     end
+
+    json.email user.email if scope_enabled?(:read_email)
   end
 end
diff --git a/app/views/api/users/_user.xml.builder b/app/views/api/users/_user.xml.builder
index 9092f2c96..7d6b177f2 100644
--- a/app/views/api/users/_user.xml.builder
+++ b/app/views/api/users/_user.xml.builder
@@ -40,5 +40,6 @@ xml.tag! "user", :id => user.id,
                            :unread => user.new_messages.size
       xml.tag! "sent", :count => user.sent_messages.size
     end
+    xml.tag! "email", user.email if scope_enabled?(:read_email)
   end
 end
diff --git a/config/locales/en.yml b/config/locales/en.yml
index 0b745aa7c..89a869683 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -2342,6 +2342,7 @@ en:
       read_gpx: Read private GPS traces
       write_gpx: Upload GPS traces
       write_notes: Modify notes
+      read_email: Read user email address
   oauth_clients:
     new:
       title: "Register a new application"
diff --git a/lib/oauth.rb b/lib/oauth.rb
index 6980447f9..07e54d858 100644
--- a/lib/oauth.rb
+++ b/lib/oauth.rb
@@ -1,6 +1,6 @@
 module Oauth
   SCOPES = %w[read_prefs write_prefs write_diary write_api read_gpx write_gpx write_notes].freeze
-  PRIVILEGED_SCOPES = %w[].freeze
+  PRIVILEGED_SCOPES = %w[read_email].freeze
 
   class Scope
     attr_reader :name
-- 
2.43.2