<p></p>
<p><b>@tomhughes</b> commented on this pull request.</p>

<hr>

<p>In <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4387#discussion_r1416152114">app/abilities/api_capability.rb</a>:</p>
<pre style='color:#555'>> @@ -31,10 +31,10 @@ def initialize(token)
         if user.moderator?
           can [:destroy, :restore], ChangesetComment if scope?(token, :write_api)
           can :destroy, Note if scope?(token, :write_notes)
-          if user&.terms_agreed?
-            can :redact, OldNode if scope?(token, :write_api)
-            can :redact, OldWay if scope?(token, :write_api)
-            can :redact, OldRelation if scope?(token, :write_api)
+          if user&.terms_agreed? && (scope?(token, :write_api) || scope?(token, :write_redactions))
+            can :redact, OldNode
+            can :redact, OldWay
+            can :redact, OldRelation
</pre>
<p dir="auto">I'd prefer to leave the guards on the individual <code class="notranslate">can</code> methods for consistency - it's the way we do it everywhere else in the file even though it's duplicative.</p>
<p dir="auto">The double condition is only temporary anyway.</p>

<hr>

<p>In <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4387#discussion_r1416153145">app/helpers/authorization_helper.rb</a>:</p>
<pre style='color:#555'>> @@ -0,0 +1,15 @@
+module AuthorizationHelper
+  include ActionView::Helpers::TranslationHelper
+
+  MODERATOR_SCOPES = %w[write_redactions].freeze
</pre>
<p dir="auto">This should probably be in <code class="notranslate">lib/oauth.rb</code> for consistency?</p>

<hr>

<p>In <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4387#discussion_r1416155130">app/helpers/authorization_helper.rb</a>:</p>
<pre style='color:#555'>> @@ -0,0 +1,15 @@
+module AuthorizationHelper
+  include ActionView::Helpers::TranslationHelper
+
+  MODERATOR_SCOPES = %w[write_redactions].freeze
+
+  def authorization_scope(scope)
+    html = []
+    if MODERATOR_SCOPES.include? scope
+      html << image_tag("roles/moderator.png", :srcset => image_path("roles/moderator.svg", :class => "align-text-bottom"), :size => "20x20")
+      html << " "
</pre>
<p dir="auto">Putting the marker before the scope name is going to mean the scopes don't lineup properly which doesn't seem right - maybe it should go after the name?</p>
<p dir="auto">Should we also add the administrator icon to privileged scopes?</p>

<hr>

<p>In <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4387#discussion_r1416158272">lib/oauth.rb</a>:</p>
<pre style='color:#555'>> @@ -1,7 +1,7 @@
 module Oauth
   SCOPES = %w[read_prefs write_prefs write_diary write_api read_gpx write_gpx write_notes].freeze
   PRIVILEGED_SCOPES = %w[read_email skip_authorization].freeze
-  OAUTH2_SCOPES = %w[openid].freeze
+  OAUTH2_SCOPES = %w[write_redactions openid].freeze
</pre>
<p dir="auto">Should we limit who can create an application that requests moderator permissions to moderators in the way we do for administrators and privileged scopes?</p>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />Reply to this email directly, <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4387#pullrequestreview-1765897459">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AAK2OLJ6VSBMBKMBYYSUYZDYH5V3PAVCNFSM6AAAAABAEPPM26VHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMYTONRVHA4TONBVHE">unsubscribe</a>.<br />You are receiving this because you are subscribed to this thread.<img src="https://github.com/notifications/beacon/AAK2OLKGTHNI2N2JYR6LBZTYH5V3PA5CNFSM6AAAAABAEPPM26WGG33NNVSW45C7OR4XAZNRKB2WY3CSMVYXKZLTORJGK5TJMV32UY3PNVWWK3TUL5UWJTTJIF2PG.gif" height="1" width="1" alt="" /><span style="color: transparent; font-size: 0; display: none; visibility: hidden; overflow: hidden; opacity: 0; width: 0; height: 0; max-width: 0; max-height: 0; mso-hide: all">Message ID: <span><openstreetmap/openstreetmap-website/pull/4387/review/1765897459</span><span>@</span><span>github</span><span>.</span><span>com></span></span></p>
<script type="application/ld+json">[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/openstreetmap/openstreetmap-website/pull/4387#pullrequestreview-1765897459",
"url": "https://github.com/openstreetmap/openstreetmap-website/pull/4387#pullrequestreview-1765897459",
"name": "View Pull Request"
},
"description": "View this Pull Request on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]</script>