fix(scopes): Dont treat `foo:write` as a sub-scope of `foo`.

2016-07-01 16:58:28 +10:00 · 2016-07-01 16:58:28 +10:00 · b4b30c2965
--- a/lib/scope.js
+++ b/lib/scope.js
@ -4,13 +4,13 @@


 function Scope(arr) {
-  if (!(this instanceof Scope)) {
+  if (arr instanceof Scope) {
+    return arr;
+  } else if (!(this instanceof Scope)) {
    return new Scope(arr);
  }
  if (!arr) {
    arr = [];
-  } else if (arr instanceof Scope) {
-    return arr;
  } else if (typeof arr === 'string') {
    arr = arr.split(/\s+/);
  }
@ -32,7 +32,19 @@ Scope.prototype = {
      } else if (word in this._values || word + ':write' in this._values) {
        return true;
      } else {
-        var prefix = word.split(':').slice(0, -1).join(':');
+        var parts = word.split(':');
+        var suffix = parts.pop();
+        if (suffix === 'write') {
+          // pop the next one off
+          // but still require this to be a 'write' scope
+          if (parts.pop()) {
+            parts.push('write');
+          } else {
+            // this was a weird scope. don't try to fix it, just say NO!
+            return false;
+          }
+        }
+        var prefix = parts.join(':');
        return prefix && this.has(prefix);
      }
    }, this);
--- a/test/api.js
+++ b/test/api.js
@ -1088,6 +1088,29 @@ describe('/v1', function() {
          });
        });

+        it('should not expand read scope to write scope', function() {
+          return newToken({
+            access_type: 'offline',
+            scope: 'foo'
+          }).then(function(res) {
+            assert.equal(res.statusCode, 200);
+            assert.equal(res.result.scope, 'foo');
+            return Server.api.post({
+              url: '/token',
+              payload: {
+                client_id: clientId,
+                client_secret: secret,
+                grant_type: 'refresh_token',
+                refresh_token: res.result.refresh_token,
+                scope: 'foo:write'
+              }
+            });
+          }).then(function(res) {
+            assert.equal(res.statusCode, 400);
+            assert.equal(res.result.errno, 114);
+          });
+        });
+
      });

      describe('?ttl', function() {
--- a/test/scope.js
+++ b/test/scope.js
@ -53,6 +53,9 @@ describe('Scope', function() {
      assert(s1.has('foo:mah:pa bar:baz:quux'));
      assert(!s1.has('bar'));

+      assert(!s1.has('foo:write'));
+      assert(!s1.has('foo:dee:write'));
+
      var s2 = Scope('foo bar baz:quux:write');
      assert(s2.has('foo bar baz:quux'));