[openstreetmap/openstreetmap-website] OAuth2 authorized apps permissions shows all possible permissions, not just granted ones (Issue #4124)
Anton Khorev
notifications at github.com
Sun Jul 30 16:38:40 UTC 2023
### URL
https://www.openstreetmap.org/oauth2/authorized_applications
### How to reproduce the issue?
Since the "Permissions" column is next to the "Revoke access" button, you'd think those are the permissions that were requested by the client app and granted by the user. But actually they are all possible permissions the app can have, which were specified during the app registration.
One way to see this:
1. register an app with some permissions
2. request a token with those permissions
3. see those permissions appear in the table on https://www.openstreetmap.org/oauth2/authorized_applications
4. edit the app and add more permissions
5. see the permissions you've just added also appear in the table
6. do a token introspection (`oauth2/introspect`) or osm api permissions check (https://api.openstreetmap.org/api/0.6/permissions) and see that you don't have those extra permissions
### Screenshot(s) or anything else?
_No response_
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/4124
You are receiving this because you are subscribed to this thread.
Message ID: <openstreetmap/openstreetmap-website/issues/4124 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20230730/8e587605/attachment.htm>
More information about the rails-dev
mailing list