Fix for inconsistency in the auto approval of scopes

Made the implementation of ClientDetails - e.g. the BaseClientDetails - solely responsible for the decision if a scope can be auto approved. Marking a ClientDetails - when using JdbcClientDetailsService - with 'true' for the autoapprove value will still cause all scopes to be auto approved. The consent screen will be skipped in this scenario. Fixes spring-atticgh-479, fixes spring-atticgh-482
burkad01 · Jun 12, 2015 · 21c1584 · 21c1584
1 parent 4faa181
commit 21c1584
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 2 deletions.
diff --git a/...org/springframework/security/oauth/examples/sparklr/oauth/SparklrUserApprovalHandler.java b/...org/springframework/security/oauth/examples/sparklr/oauth/SparklrUserApprovalHandler.java
@@ -77,7 +77,7 @@ public AuthorizationRequest checkForPreApproval(AuthorizationRequest authorizati
 					ClientDetails client = clientDetailsService
 							.loadClientByClientId(authorizationRequest.getClientId());
 					for (String scope : requestedScopes) {
-						if (client.isAutoApprove(scope) || client.isAutoApprove("all")) {
+						if (client.isAutoApprove(scope)) {
 							approved = true;
 							break;
 						}

diff --git a/...g/springframework/security/oauth2/provider/approval/ApprovalStoreUserApprovalHandler.java b/...g/springframework/security/oauth2/provider/approval/ApprovalStoreUserApprovalHandler.java
@@ -112,7 +112,7 @@ public AuthorizationRequest checkForPreApproval(AuthorizationRequest authorizati
 			try {
 				ClientDetails client = clientDetailsService.loadClientByClientId(clientId);
 				for (String scope : requestedScopes) {
-					if (client.isAutoApprove(scope) || client.isAutoApprove("all")) {
+					if (client.isAutoApprove(scope)) {
 						approvedScopes.add(scope);
 					}
 				}

diff --git a/...test/java/org/springframework/security/oauth2/provider/client/BaseClientDetailsTests.java b/...test/java/org/springframework/security/oauth2/provider/client/BaseClientDetailsTests.java
@@ -81,6 +81,12 @@ public void testBaseClientDetailsNoAutoApprove() {
 		assertFalse(details.isAutoApprove("read"));
 	}
 
+	@Test
+	public void testBaseClientDetailsNullAutoApprove() {
+		BaseClientDetails details = new BaseClientDetails("foo", "", "foo,bar", "authorization_code", "ROLE_USER");
+		assertFalse(details.isAutoApprove("read"));
+	}
+
 	@Test
 	public void testJsonSerialize() throws Exception {
 		BaseClientDetails details = new BaseClientDetails("foo", "", "foo,bar", "authorization_code", "ROLE_USER");