Fix oauth2 permission enforcement logic.

2026-01-26 23:39:11 -05:00 · 2012-08-03 11:46:00 -07:00
parent cf6b533b5d
commit 5b373c3e29
1 changed files with 3 additions and 1 deletions
--- a/r2/r2/controllers/oauth2.py
+++ b/r2/r2/controllers/oauth2.py
@@ -225,7 +225,9 @@ class OAuth2ResourceController(MinimalController):
        if handler:
            oauth2_perms = getattr(handler, "oauth2_perms", None)
            if oauth2_perms:
-                if set(oauth2_perms["allowed_scopes"]).intersection(access_token.scope_list):
+                granted_scopes = set(access_token.scope_list)
+                required_scopes = set(oauth2_perms['allowed_scopes'])
+                if not (granted_scopes >= required_scopes):
                    self._auth_error(403, "insufficient_scope")
            else:
                self._auth_error(400, "invalid_request")