diff --git a/lib/travis/api/app/extensions/scoping.rb b/lib/travis/api/app/extensions/scoping.rb index 2e1624d3..d932a053 100644 --- a/lib/travis/api/app/extensions/scoping.rb +++ b/lib/travis/api/app/extensions/scoping.rb @@ -11,6 +11,16 @@ class Travis::Api::App def public? scope == :public end + + def required_params_match? + return true unless token = env['travis.access_token'] + + if token.extra && (required_params = token.extra['required_params']) + required_params.all? { |name, value| params[name] == value } + else + true + end + end end def self.registered(app) @@ -24,7 +34,7 @@ class Travis::Api::App scopes = env['travis.access_token'].try(:scopes) || settings.anonymous_scopes result = names.any? do |name| - if scopes.include? name + if scopes.include?(name) && required_params_match? headers['X-OAuth-Scopes'] = scopes.map(&:to_s).join(',') headers['X-Accepted-OAuth-Scopes'] = name.to_s diff --git a/spec/integration/scopes_spec.rb b/spec/integration/scopes_spec.rb index d5b13576..6230ee54 100644 --- a/spec/integration/scopes_spec.rb +++ b/spec/integration/scopes_spec.rb @@ -8,6 +8,10 @@ describe 'App' do get '/hash', scope: [:foo, :bar] do respond_with foo: 'bar' end + + get '/:job_id/log' do + respond_with job_id: params[:job_id] + end end end @@ -29,4 +33,17 @@ describe 'App' do response = get '/foo/hash', {}, 'HTTP_ACCEPT' => 'application/json', 'HTTP_AUTHORIZATION' => "token #{token.token}" response.status.should == 403 end + + it 'checks if required_params match the from the request' do + extra = { + required_params: { job_id: '10' } + } + token = Travis::Api::App::AccessToken.new(app_id: 1, user_id: 2, extra: extra).tap(&:save) + + response = get '/foo/10/log', {}, 'HTTP_ACCEPT' => 'application/json', 'HTTP_AUTHORIZATION' => "token #{token.token}" + response.should be_successful + + response = get '/foo/11/log', {}, 'HTTP_ACCEPT' => 'application/json', 'HTTP_AUTHORIZATION' => "token #{token.token}" + response.status.should == 403 + end end