From 6fbe4a124677646250b4239a2ff7a6d547517dcd Mon Sep 17 00:00:00 2001
From: hcphat <hcphat@tma.com.vn>
Date: Tue, 22 Apr 2025 10:18:28 +0700
Subject: [PATCH 1/2] =?UTF-8?q?ref=202.1.=E3=83=91=E3=83=BC=E3=82=BD?=
 =?UTF-8?q?=E3=83=8A=E3=83=AB=E3=82=A2=E3=82=AF=E3=82=BB=E3=82=B9=E3=83=88?=
 =?UTF-8?q?=E3=83=BC=E3=82=AF=E3=83=B3=E6=A8=A9=E9=99=90=E3=81=AB=E9=96=A2?=
 =?UTF-8?q?=E3=81=99=E3=82=8B=E4=B8=8D=E5=85=B7=E5=90=88=E6=94=B9=E4=BF=AE?=
 =?UTF-8?q?:=20Update=20logic=20handle=20personal=20access=20token=20permi?=
 =?UTF-8?q?ssions?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 addons/base/views.py | 27 +++++++++++++--------------
 1 file changed, 13 insertions(+), 14 deletions(-)

diff --git a/addons/base/views.py b/addons/base/views.py
index acc7cb1f9ab..8707bdd72cb 100644
--- a/addons/base/views.py
+++ b/addons/base/views.py
@@ -286,20 +286,19 @@ def get_metric_class_for_action(action, from_mfr):
 def get_auth(auth, **kwargs):
     logger.debug('----{}:{}::{} from {}:{}::{}'.format(*inspect_info(inspect.currentframe(), inspect.stack())))
     cas_resp = None
-    if not auth.user:
-        # Central Authentication Server OAuth Bearer Token
-        authorization = request.headers.get('Authorization')
-        if authorization and authorization.startswith('Bearer '):
-            client = cas.get_client()
-            try:
-                access_token = cas.parse_auth_header(authorization)
-                cas_resp = client.profile(access_token)
-            except cas.CasError as err:
-                sentry.log_exception()
-                # NOTE: We assume that the request is an AJAX request
-                return json_renderer(err)
-            if cas_resp.authenticated:
-                auth.user = OSFUser.load(cas_resp.user)
+    # Central Authentication Server OAuth Bearer Token
+    authorization = request.headers.get('Authorization')
+    if authorization and authorization.startswith('Bearer '):
+        client = cas.get_client()
+        try:
+            access_token = cas.parse_auth_header(authorization)
+            cas_resp = client.profile(access_token)
+        except cas.CasError as err:
+            sentry.log_exception()
+            # NOTE: We assume that the request is an AJAX request
+            return json_renderer(err)
+        if cas_resp.authenticated:
+            auth.user = OSFUser.load(cas_resp.user)
 
     # get data payload
     try:

From 223900f129645c76bce499116f8e9d03d5ec5ad5 Mon Sep 17 00:00:00 2001
From: hcphat <hcphat@tma.com.vn>
Date: Tue, 22 Apr 2025 16:37:49 +0700
Subject: [PATCH 2/2] =?UTF-8?q?ref=202.1.=E3=83=91=E3=83=BC=E3=82=BD?=
 =?UTF-8?q?=E3=83=8A=E3=83=AB=E3=82=A2=E3=82=AF=E3=82=BB=E3=82=B9=E3=83=88?=
 =?UTF-8?q?=E3=83=BC=E3=82=AF=E3=83=B3=E6=A8=A9=E9=99=90=E3=81=AB=E9=96=A2?=
 =?UTF-8?q?=E3=81=99=E3=82=8B=E4=B8=8D=E5=85=B7=E5=90=88=E6=94=B9=E4=BF=AE?=
 =?UTF-8?q?:=20Update=20UT=20for=20handle=20permission?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 tests/test_addons.py | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/tests/test_addons.py b/tests/test_addons.py
index b4b879a050a..7c6a2f7ccb1 100644
--- a/tests/test_addons.py
+++ b/tests/test_addons.py
@@ -305,6 +305,34 @@ def test_auth__user_is_None(self):
         res = self.app.get(url, auth=none_auth, expect_errors=True)
         assert_equal(res.status_code, 401)
 
+    @mock.patch('addons.base.views.OSFUser.load')
+    @mock.patch('framework.auth.decorators.Auth.from_kwargs')
+    @mock.patch('addons.base.views.cas.get_client')
+    def test_auth_bearer_token_has_permission(self, mock_cas_client, mock_get_current_user, user_load):
+        attributes = {'lastName': 'inst11', 'firstName': 'admin01', 'accessToken': 'valid_access_token',
+                      'accessTokenScope': {'osf.full_write', 'osf.full_read'}}
+        value = cas.CasResponse(authenticated=True, attributes=attributes, user=self.user)
+        mock_cas_client.return_value = mock.Mock(profile=mock.Mock(return_value=value))
+        mock_get_current_user.return_value = Auth(self.user)
+        user_load.return_value = self.user
+        url = self.build_url()
+        res = self.app.get(url, headers={'Authorization': 'Bearer valid_access_token'}, expect_errors=False)
+        assert_equal(res.status_code, 200)
+
+    @mock.patch('addons.base.views.OSFUser.load')
+    @mock.patch('framework.auth.decorators.Auth.from_kwargs')
+    @mock.patch('addons.base.views.cas.get_client')
+    def test_auth_bearer_token_without_permission(self, mock_cas_client, mock_get_current_user, user_load):
+        attributes = {'lastName': 'inst11', 'firstName': 'admin01', 'accessToken': 'valid_access_token',
+                      'accessTokenScope': {'osf.users.profile_read'}}
+        value = cas.CasResponse(authenticated=True, attributes=attributes, user=self.user)
+        mock_cas_client.return_value = mock.Mock(profile=mock.Mock(return_value=value))
+        mock_get_current_user.return_value = Auth(self.user)
+        user_load.return_value = self.user
+        url = self.build_url()
+        res = self.app.get(url, headers={'Authorization': 'Bearer invalid_access_token'}, expect_errors=True)
+        assert_equal(res.status_code, 403)
+
 
 class TestAddonLogs(OsfTestCase):