Add a privileged scope that allows email addresses to be returned

2021-07-30 22:39:39 +01:00 · 2021-07-30 22:39:39 +01:00 · f4d1d97848
commit f4d1d97848
parent 6c6e8883f7
5 changed files with 11 additions and 1 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -395,4 +395,10 @@ class ApplicationController < ActionController::Base

    referer.to_s
  end
+
+  def scope_enabled?(scope)
+    doorkeeper_token&.includes_scope?(scope) || current_token&.includes_scope?(scope)
+  end
+
+  helper_method :scope_enabled?
 end
--- a/app/views/api/users/_user.json.jbuilder
+++ b/app/views/api/users/_user.json.jbuilder
@ -65,5 +65,7 @@ json.user do
        json.count user.sent_messages.size
      end
    end
+
+    json.email user.email if scope_enabled?(:read_email)
  end
 end
--- a/app/views/api/users/_user.xml.builder
+++ b/app/views/api/users/_user.xml.builder
@ -40,5 +40,6 @@ xml.tag! "user", :id => user.id,
                           :unread => user.new_messages.size
      xml.tag! "sent", :count => user.sent_messages.size
    end
+    xml.tag! "email", user.email if scope_enabled?(:read_email)
  end
 end
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@ -2342,6 +2342,7 @@ en:
      read_gpx: Read private GPS traces
      write_gpx: Upload GPS traces
      write_notes: Modify notes
+      read_email: Read user email address
  oauth_clients:
    new:
      title: "Register a new application"
--- a/lib/oauth.rb
+++ b/lib/oauth.rb
@ -1,6 +1,6 @@
 module Oauth
  SCOPES = %w[read_prefs write_prefs write_diary write_api read_gpx write_gpx write_notes].freeze
-  PRIVILEGED_SCOPES = %w[].freeze
+  PRIVILEGED_SCOPES = %w[read_email].freeze

  class Scope
    attr_reader :name