When using an OAuth client that uses a dynamic scope based upon a user role, If that role has an implicit permission applied to it, it will no longer be respected
1. Create an OAuth Scope with a role granularity, with a role of anything other than anonymous or authenticated
1. Apply the permission "access content" to the "Authenticated User" role and not that selected role
2. Attempt to view a node / taxonomy item via the JSON API using an OAuth access token
3. 403 will be returned
The original Drupal\simple_oauth\Plugin\ScopeGranularity\Role::hasPermission() function will check both the users role and AccountInterface::AUTHENTICATED_ROLE to see if the permission exists when the role being checked wasn't anonymous or authenticated, but in the refactored version, the new getRoles() function doesn't do this and will only check the explicit role of the scope.
Adding AccountInterface::AUTHENTICATED_ROLE to the returned roles when the role isint Anonymous or Authenticated in the new Drupal\simple_oauth\Plugin\ScopeGranularity\Role::getRoles() function solves this issue.
Show commandsStart within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
changes
Comments
Comment #3
tylermc commentedHi,
I've added the fix to the MR which now should better reflect the original functionality of the simple_oauth module.
Using this patch fixes my issue on our Drupal Install.
Cheers
Comment #6
bojan_dev commentedNice catch @tylermc, merged and tagged in 6.0.8.