From 883301c814419c1766b30bb1ff5c9131c556fc95 Mon Sep 17 00:00:00 2001
From: Julian Rother <julian@cccv.de>
Date: Thu, 2 Sep 2021 14:48:01 +0200
Subject: [PATCH] Fix for 45d4598 (Replace flask_oauthlib with plain oauthlib)

45d4598 accidentally removed the OAuth2.0 access permission check based on
Client.required_group. This change adds it again.
---
 uffd/oauth2/views.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/uffd/oauth2/views.py b/uffd/oauth2/views.py
index c52fb137..cb8037c9 100644
--- a/uffd/oauth2/views.py
+++ b/uffd/oauth2/views.py
@@ -175,6 +175,8 @@ def authorize():
 	# Here we would normally ask the user, if he wants to give the requesting
 	# service access to his data. Since we only have trusted services (the
 	# clients defined in the server config), we don't ask for consent.
+	if not client.access_allowed(credentials['user']):
+		raise oauthlib.oauth2.rfc6749.errors.AccessDeniedError('User is not permitted to authenticate with this service.')
 	session['oauth2-clients'] = session.get('oauth2-clients', [])
 	if client.client_id not in session['oauth2-clients']:
 		session['oauth2-clients'].append(client.client_id)
-- 
GitLab