From 5b373c3e29e33ea99c372199f48c864d080ecfdd Mon Sep 17 00:00:00 2001 From: Logan Hanks Date: Fri, 3 Aug 2012 11:46:00 -0700 Subject: [PATCH] Fix oauth2 permission enforcement logic. --- r2/r2/controllers/oauth2.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/r2/r2/controllers/oauth2.py b/r2/r2/controllers/oauth2.py index 774a3068d..2db4e91a0 100644 --- a/r2/r2/controllers/oauth2.py +++ b/r2/r2/controllers/oauth2.py @@ -225,7 +225,9 @@ class OAuth2ResourceController(MinimalController): if handler: oauth2_perms = getattr(handler, "oauth2_perms", None) if oauth2_perms: - if set(oauth2_perms["allowed_scopes"]).intersection(access_token.scope_list): + granted_scopes = set(access_token.scope_list) + required_scopes = set(oauth2_perms['allowed_scopes']) + if not (granted_scopes >= required_scopes): self._auth_error(403, "insufficient_scope") else: self._auth_error(400, "invalid_request")