Skip to content

The user grants a permission to the client that he does not have #309

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
springploughing opened this issue Jun 1, 2021 · 3 comments
Closed

The user grants a permission to the client that he does not have #309

springploughing opened this issue Jun 1, 2021 · 3 comments
Assignees
@jgrandja
Labels
status: duplicate A duplicate of another issue

Comments

@springploughing
Copy link

In authorization_code mode, what happens if the client applies for a permission that the user does not have?
E.g:

  1. All users have message.read, message.write and other permissions
  2. The client is configured with all the permissions in 1 above
  3. There is now a user Tom who only has message.read permission
  4. The client uses scope=message.write to apply for authorization. At this time, Tom only has message.read, but he can successfully return the code after authorization, and the code can still be exchanged for token
@springploughing springploughing added the type: bug A general bug label Jun 1, 2021
@jgrandja
Copy link
Collaborator

jgrandja commented Jun 1, 2021

Thanks for getting in touch, but it feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements.

@jgrandja jgrandja closed this as completed Jun 1, 2021
@jgrandja jgrandja self-assigned this Jun 1, 2021
@jgrandja jgrandja added for: stackoverflow A question that's better suited to stackoverflow.com and removed type: bug A general bug labels Jun 1, 2021
@springploughing
Copy link
Author

@jgrandja Hello, I do want to enhance the existing function, because I found that when the user authorization page is authorized, it only verifies that the registered client has this permission, but in fact the user does not have this permission at all, which is equivalent to that the user grants a permission to the client that he does not have.

@springploughing springploughing changed the title In authorization_code mode, what happens if the client applies for a permission that the user does not have? The user grants a permission to the client that he does not have Jun 2, 2021
@jgrandja
Copy link
Collaborator

jgrandja commented Jun 9, 2021

@litchi0509 The issue you described is a duplicate of gh-187.

Please see the following comments (gh-289, gh-139) for further context.

@jgrandja jgrandja added status: duplicate A duplicate of another issue and removed for: stackoverflow A question that's better suited to stackoverflow.com labels Jun 9, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
status: duplicate A duplicate of another issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jgrandja @springploughing