[GRDM-50105] Fix incorrect permission handling for file operations when using Personal Access Tokens

addons/base/views.py

@@ -286,20 +286,19 @@ def get_metric_class_for_action(action, from_mfr):
 def get_auth(auth, **kwargs):
     logger.debug('----{}:{}::{} from {}:{}::{}'.format(*inspect_info(inspect.currentframe(), inspect.stack())))
     cas_resp = None
-    if not auth.user:
-        # Central Authentication Server OAuth Bearer Token
-        authorization = request.headers.get('Authorization')
-        if authorization and authorization.startswith('Bearer '):
-            client = cas.get_client()
-            try:
-                access_token = cas.parse_auth_header(authorization)
-                cas_resp = client.profile(access_token)
-            except cas.CasError as err:
-                sentry.log_exception()
-                # NOTE: We assume that the request is an AJAX request
-                return json_renderer(err)
-            if cas_resp.authenticated:
-                auth.user = OSFUser.load(cas_resp.user)
+    # Central Authentication Server OAuth Bearer Token
+    authorization = request.headers.get('Authorization')
+    if authorization and authorization.startswith('Bearer '):
+        client = cas.get_client()
+        try:
+            access_token = cas.parse_auth_header(authorization)
+            cas_resp = client.profile(access_token)
+        except cas.CasError as err:
+            sentry.log_exception()
+            # NOTE: We assume that the request is an AJAX request
+            return json_renderer(err)
+        if cas_resp.authenticated:
+            auth.user = OSFUser.load(cas_resp.user)
 
     # get data payload
     try:

tests/test_addons.py

@@ -305,6 +305,34 @@ def test_auth__user_is_None(self):
         res = self.app.get(url, auth=none_auth, expect_errors=True)
         assert_equal(res.status_code, 401)
 
+    @mock.patch('addons.base.views.OSFUser.load')
+    @mock.patch('framework.auth.decorators.Auth.from_kwargs')
+    @mock.patch('addons.base.views.cas.get_client')
+    def test_auth_bearer_token_has_permission(self, mock_cas_client, mock_get_current_user, user_load):
+        attributes = {'lastName': 'inst11', 'firstName': 'admin01', 'accessToken': 'valid_access_token',
+                      'accessTokenScope': {'osf.full_write', 'osf.full_read'}}
+        value = cas.CasResponse(authenticated=True, attributes=attributes, user=self.user)
+        mock_cas_client.return_value = mock.Mock(profile=mock.Mock(return_value=value))
+        mock_get_current_user.return_value = Auth(self.user)
+        user_load.return_value = self.user
+        url = self.build_url()
+        res = self.app.get(url, headers={'Authorization': 'Bearer valid_access_token'}, expect_errors=False)
+        assert_equal(res.status_code, 200)
+
+    @mock.patch('addons.base.views.OSFUser.load')
+    @mock.patch('framework.auth.decorators.Auth.from_kwargs')
+    @mock.patch('addons.base.views.cas.get_client')
+    def test_auth_bearer_token_without_permission(self, mock_cas_client, mock_get_current_user, user_load):
+        attributes = {'lastName': 'inst11', 'firstName': 'admin01', 'accessToken': 'valid_access_token',
+                      'accessTokenScope': {'osf.users.profile_read'}}
+        value = cas.CasResponse(authenticated=True, attributes=attributes, user=self.user)
+        mock_cas_client.return_value = mock.Mock(profile=mock.Mock(return_value=value))
+        mock_get_current_user.return_value = Auth(self.user)
+        user_load.return_value = self.user
+        url = self.build_url()
+        res = self.app.get(url, headers={'Authorization': 'Bearer invalid_access_token'}, expect_errors=True)
+        assert_equal(res.status_code, 403)
+
 
 class TestAddonLogs(OsfTestCase):