From 946e734d98d3ad40c20088ad81831952e530bdef Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Thu, 15 Nov 2012 16:59:17 +0100
Subject: [PATCH] need to check scopes before storing token

---
 lib/travis/api/app/endpoint/authorization.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/travis/api/app/endpoint/authorization.rb b/lib/travis/api/app/endpoint/authorization.rb
index 9380be45..1215e49e 100644
--- a/lib/travis/api/app/endpoint/authorization.rb
+++ b/lib/travis/api/app/endpoint/authorization.rb
@@ -205,10 +205,10 @@ class Travis::Api::App
         def user_for_github_token(token)
           data   = GH.with(token: token.to_s) { GH['user'] }
           scopes = parse_scopes data.headers['x-oauth-scopes']
-          user   = UserManager.new(data, token).fetch
-
-          halt 403, 'not a Travis user'   if user.nil?
           halt 403, 'insufficient access' unless acceptable? scopes
+
+          user   = UserManager.new(data, token).fetch
+          halt 403, 'not a Travis user' if user.nil?
           user
         end