Disable administrative doorkeeper routes (#29187)
parent
b83076647e
commit
eae436c5a8
|
@ -21,9 +21,14 @@ Doorkeeper.configure do
|
||||||
user unless user&.otp_required_for_login?
|
user unless user&.otp_required_for_login?
|
||||||
end
|
end
|
||||||
|
|
||||||
# If you want to restrict access to the web interface for adding oauth authorized applications, you need to declare the block below.
|
# Doorkeeper provides some administrative interfaces for managing OAuth
|
||||||
|
# Applications, allowing creation, edit, and deletion of applications from the
|
||||||
|
# server. At present, these administrative routes are not integrated into
|
||||||
|
# Mastodon, and as such, we've disabled them by always return a 403 forbidden
|
||||||
|
# response for them. This does not affect the ability for users to manage
|
||||||
|
# their own OAuth Applications.
|
||||||
admin_authenticator do
|
admin_authenticator do
|
||||||
current_user&.admin? || redirect_to(new_user_session_url)
|
head 403
|
||||||
end
|
end
|
||||||
|
|
||||||
# Authorization Code expiration time (default 10 minutes).
|
# Authorization Code expiration time (default 10 minutes).
|
||||||
|
|
|
@ -0,0 +1,83 @@
|
||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
require 'rails_helper'
|
||||||
|
|
||||||
|
describe 'Disabled OAuth routes' do
|
||||||
|
# These routes are disabled via the doorkeeper configuration for
|
||||||
|
# `admin_authenticator`, as these routes should only be accessible by server
|
||||||
|
# administrators. For now, these routes are not properly designed and
|
||||||
|
# integrated into Mastodon, so we're disabling them completely
|
||||||
|
describe 'GET /oauth/applications' do
|
||||||
|
it 'returns 403 forbidden' do
|
||||||
|
get oauth_applications_path
|
||||||
|
|
||||||
|
expect(response).to have_http_status(403)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
describe 'POST /oauth/applications' do
|
||||||
|
it 'returns 403 forbidden' do
|
||||||
|
post oauth_applications_path
|
||||||
|
|
||||||
|
expect(response).to have_http_status(403)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
describe 'GET /oauth/applications/new' do
|
||||||
|
it 'returns 403 forbidden' do
|
||||||
|
get new_oauth_application_path
|
||||||
|
|
||||||
|
expect(response).to have_http_status(403)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
describe 'GET /oauth/applications/:id' do
|
||||||
|
let(:application) { Fabricate(:application, scopes: 'read') }
|
||||||
|
|
||||||
|
it 'returns 403 forbidden' do
|
||||||
|
get oauth_application_path(application)
|
||||||
|
|
||||||
|
expect(response).to have_http_status(403)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
describe 'PATCH /oauth/applications/:id' do
|
||||||
|
let(:application) { Fabricate(:application, scopes: 'read') }
|
||||||
|
|
||||||
|
it 'returns 403 forbidden' do
|
||||||
|
patch oauth_application_path(application)
|
||||||
|
|
||||||
|
expect(response).to have_http_status(403)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
describe 'PUT /oauth/applications/:id' do
|
||||||
|
let(:application) { Fabricate(:application, scopes: 'read') }
|
||||||
|
|
||||||
|
it 'returns 403 forbidden' do
|
||||||
|
put oauth_application_path(application)
|
||||||
|
|
||||||
|
expect(response).to have_http_status(403)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
describe 'DELETE /oauth/applications/:id' do
|
||||||
|
let(:application) { Fabricate(:application, scopes: 'read') }
|
||||||
|
|
||||||
|
it 'returns 403 forbidden' do
|
||||||
|
delete oauth_application_path(application)
|
||||||
|
|
||||||
|
expect(response).to have_http_status(403)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
describe 'GET /oauth/applications/:id/edit' do
|
||||||
|
let(:application) { Fabricate(:application, scopes: 'read') }
|
||||||
|
|
||||||
|
it 'returns 403 forbidden' do
|
||||||
|
get edit_oauth_application_path(application)
|
||||||
|
|
||||||
|
expect(response).to have_http_status(403)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
Loading…
Reference in New Issue