<p>The Authenticate#allow? method (from oauth-plugin) sets <code>current_user</code> as a side effect of checking the token. But this allowed a valid token to access all actions that are available to that user, beyond the capabilities for that token.</p>
<p>This PR changes that, so that if there is a token, only the permissions from the Capability class are used. I've added a couple of tests that illustrate the change, to show that with the new approach you definitely need the allow_read_prefs permission on a token.</p>
<p>I went for the @request.env fiddling to make the request, since creating a fully signed request (as used in test/integration/oauth_test) is a bit more complex than I would like. But I'm open to other suggestions.</p>

<hr>

<h4>You can view, comment on, or merge this pull request online at:</h4>
<p>  <a href='https://github.com/openstreetmap/openstreetmap-website/pull/2083'>https://github.com/openstreetmap/openstreetmap-website/pull/2083</a></p>

<h4>Commit Summary</h4>
<ul>
  <li>Use only token capabilities when a token is provided</li>
</ul>

<h4>File Changes</h4>
<ul>
  <li>
    <strong>M</strong>
    <a href="https://github.com/openstreetmap/openstreetmap-website/pull/2083/files#diff-0">app/controllers/application_controller.rb</a>
    (4)
  </li>
  <li>
    <strong>M</strong>
    <a href="https://github.com/openstreetmap/openstreetmap-website/pull/2083/files#diff-1">test/controllers/user_preferences_controller_test.rb</a>
    (31)
  </li>
</ul>

<h4>Patch Links:</h4>
<ul>
  <li><a href='https://github.com/openstreetmap/openstreetmap-website/pull/2083.patch'>https://github.com/openstreetmap/openstreetmap-website/pull/2083.patch</a></li>
  <li><a href='https://github.com/openstreetmap/openstreetmap-website/pull/2083.diff'>https://github.com/openstreetmap/openstreetmap-website/pull/2083.diff</a></li>
</ul>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/openstreetmap/openstreetmap-website/pull/2083">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/ABWnLRhRF8xJujPXqY4g0PCTbKZgBZsUks5u4R3ugaJpZM4ZPpNb">mute the thread</a>.<img src="https://github.com/notifications/beacon/ABWnLbyIAE1OPfhG3ARsv2l6hAuyVx28ks5u4R3ugaJpZM4ZPpNb.gif" height="1" width="1" alt="" /></p>
<script type="application/json" data-scope="inboxmarkup">{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/openstreetmap/openstreetmap-website","title":"openstreetmap/openstreetmap-website","subtitle":"GitHub repository","main_image_url":"https://assets-cdn.github.com/images/email/message_cards/header.png","avatar_image_url":"https://assets-cdn.github.com/images/email/message_cards/avatar.png","action":{"name":"Open in GitHub","url":"https://github.com/openstreetmap/openstreetmap-website"}},"updates":{"snippets":[{"icon":"DESCRIPTION","message":"Use only token capabilities when a token is provided (#2083)"}],"action":{"name":"View Pull Request","url":"https://github.com/openstreetmap/openstreetmap-website/pull/2083"}}}</script>
<script type="application/ld+json">[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/openstreetmap/openstreetmap-website/pull/2083",
"url": "https://github.com/openstreetmap/openstreetmap-website/pull/2083",
"name": "View Pull Request"
},
"description": "View this Pull Request on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]</script>