[openstreetmap/openstreetmap-website] Rejecting permissions in OAuth1.0a auth request has no impact (#3241)

[mmd]

I'm testing https://osmlab.github.io/osm-auth/  which is still based on OAuth 1.0a. For some reason, unchecking permissions doesn't seem to have an impact anymore. Unless my memory isn't playing some bad tricks here, but i'm pretty confident this used to work before when OAuth 2.0 wasn't yet in place.

## Steps to reproduce

0. Navigate to https://osmlab.github.io/osm-auth/

1. Hit the login button:

![image](https://user-images.githubusercontent.com/5842757/124137391-f02e3e00-da85-11eb-9b2a-fadc907828b9.png)

2. Sign in (if needed)

3. In the popup, uncheck "read your user preferences":

![image](https://user-images.githubusercontent.com/5842757/124137131-ae9d9300-da85-11eb-9629-3fd9f15af4b3.png)

4. Hit "Grant Access".

## Result

https://www.openstreetmap.org/api/0.6/user/details returns all details, although the client application isn't allowed to read my user preferences:

![image](https://user-images.githubusercontent.com/5842757/124137287-d260d900-da85-11eb-8c72-eeb1cd260517.png)



-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/3241
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20210701/4e6e458b/attachment.htm>