[openstreetmap/openstreetmap-website] Create & comment notes possible with access token without `write_notes` permission (Issue #4362)
Tobias Zwick
notifications at github.com
Wed Nov 22 11:55:40 UTC 2023
### URL
_No response_
### How to reproduce the issue?
1. login with a test account on https://master.apis.dev.openstreetmap.org/
2. get an access token to access something other than creating and commenting on notes, for example:
1. open in browser https://master.apis.dev.openstreetmap.org/oauth2/authorize?response_type=code&client_id=nOkiqW1fUHssu_e0Qbk6yLx7659s19CUx3nGmOP5JZk&redirect_uri=https://127.0.0.1/oauth&scope=read_prefs
2. grant this application permission to read the **user prefs**
4. get the authorization `code` from the URL
5. paste the `code` into this request at the appropriate location and POST `https://master.apis.dev.openstreetmap.org/oauth2/token?grant_type=authorization_code&code=<code>&client_id=nOkiqW1fUHssu_e0Qbk6yLx7659s19CUx3nGmOP5JZk&redirect_uri=https://127.0.0.1/oauth`. The response contains the `access_token`. Use it to...
3. create a note with this token: e.g. POST `https://master.apis.dev.openstreetmap.org/api/0.6/notes?lat=-13&lon=+37&text=oh%20no` with header `Authorization: Bearer <access_token>`
4. A note was created in your name with an access token that doesn't have the permission to post notes.
### Screenshot(s) or anything else?
Also works with commenting on notes.
Reproducible both with OAuth 1.0a and OAuth 2.0. The OAuth 2 client in the example does not even register as (wanting to) have the create-note permission.
See also https://github.com/westnordost/osmapi/issues/24
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/4362
You are receiving this because you are subscribed to this thread.
Message ID: <openstreetmap/openstreetmap-website/issues/4362 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20231122/52eadaa0/attachment.htm>
More information about the rails-dev
mailing list