From 438dbc8bda36fcee672926a0692fdcd276c30727 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pawe=C5=82=20Chmielowski?= <pchmielowski@process-one.net>
Date: Thu, 6 Oct 2016 10:59:31 +0200
Subject: [PATCH] Make handling of oauth clauses be more consistent with other
 rules

---
 src/ejabberd_access_permissions.erl | 34 ++++++++++++++++++++---------
 1 file changed, 24 insertions(+), 10 deletions(-)

diff --git a/src/ejabberd_access_permissions.erl b/src/ejabberd_access_permissions.erl
index ac023b3f2..3b88e6ade 100644
--- a/src/ejabberd_access_permissions.erl
+++ b/src/ejabberd_access_permissions.erl
@@ -267,15 +267,18 @@ matches_definition({_Name, {From, Who, What}}, Cmd, Module, Host, CallerInfo) ->
 			    acl:access_matches(Access, CallerInfo, Host) == allow;
 			   ({acl, _} = Acl) when Scope == none ->
 			       acl:acl_rule_matches(Acl, CallerInfo, Host);
-			   ({oauth, List}) when Scope /= none ->
-			       lists:all(
-				   fun({access, Access}) ->
-				       acl:access_matches(Access, CallerInfo, Host) == allow;
-				      ({acl, _} = Acl) ->
-					  acl:acl_rule_matches(Acl, CallerInfo, Host);
-				      ({scope, Scopes}) ->
-					  ejabberd_oauth:scope_in_scope_list(Scope, Scopes)
-				   end, List);
+			   ({oauth, Scopes, List}) when Scope /= none ->
+			       case ejabberd_oauth:scope_in_scope_list(Scope, Scopes) of
+				   true ->
+				       lists:any(
+					   fun({access, Access}) ->
+					       acl:access_matches(Access, CallerInfo, Host) == allow;
+					      ({acl, _} = Acl) ->
+						  acl:acl_rule_matches(Acl, CallerInfo, Host)
+					   end, List);
+				   _ ->
+				       false
+			       end;
 			   (_) ->
 			       false
 			end, Who);
@@ -370,7 +373,18 @@ parse_who(Name, Defs, ParseOauth) when is_list(Defs) ->
 	   ([{oauth, OauthList}]) when is_list(OauthList) ->
 	       case ParseOauth of
 		   oauth ->
-		       {oauth, parse_who(Name, lists:flatten(OauthList), scope)};
+		       Nested = parse_who(Name, lists:flatten(OauthList), scope),
+		       {Scopes, Rest} = lists:partition(
+				   fun({scope, _}) -> true;
+				      (_) -> false
+				   end, Nested),
+		       case Scopes of
+			   [] ->
+			       report_error(<<"Oauth rule must contain at least one scope rule in 'who' section for api_permission '~s'">>,
+					    [Name]);
+			   _ ->
+			       {oauth, lists:foldl(fun({scope, S}, A) -> S ++ A end, [], Scopes), Rest}
+		       end;
 		   scope ->
 		       report_error(<<"Oauth rule can't be embeded inside other oauth rule in 'who' section for api_permission '~s'">>,
 				    [Name])