src/applications/conduit/controller/PhabricatorConduitAPIController.php · 60133b6fa5d5aaf0e7abe5ec28aa64b27ba56496 · Ana Rute Mendes / phabricator

Begin cleaning up OAuth scope handling · 60133b6f

epriestley authored Apr 03, 2016

Summary:
Ref T7303. OAuth scope handling never got fully modernized and is a bit of a mess.

Also introduce implicit "ALWAYS" and "NEVER" scopes.

Always give tokens access to meta-methods like `conduit.getcapabilities` and `conduit.query`. These do not expose user information.

Test Plan:
  - Used a token to call `user.whoami`.
  - Used a token to call `conduit.query`.
  - Used a token to try to call `user.query`, got rebuffed.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T7303

Differential Revision: https://secure.phabricator.com/D15593

60133b6f