enforce scopes

2025-12-24 06:16:14 -06:00 · 2025-02-25 14:21:44 +01:00 · 2025-02-25 14:21:44 +01:00 · 21d9edac54
commit 21d9edac54
parent e3857b90bb
191 changed files with 1473 additions and 648 deletions
--- a/internal/api/client/media/mediacreate.go
+++ b/internal/api/client/media/mediacreate.go
@ -101,9 +101,12 @@ func (m *Module) MediaCreatePOSTHandler(c *gin.Context) {
 		return
 	}

-	authed, err := apiutil.TokenAuth(c, true, true, true, true)
-	if err != nil {
-		apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1)
+	authed, errWithCode := apiutil.TokenAuth(c,
+		true, true, true, true,
+		apiutil.ScopeWriteMedia,
+	)
+	if errWithCode != nil {
+		apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
 		return
 	}

--- a/internal/api/client/media/mediaget.go
+++ b/internal/api/client/media/mediaget.go
@ -73,9 +73,14 @@ func (m *Module) MediaGETHandler(c *gin.Context) {
 		return
 	}

-	authed, err := apiutil.TokenAuth(c, true, true, true, true)
-	if err != nil {
-		apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1)
+	authed, errWithCode := apiutil.TokenAuth(c,
+		true, true, true, true,
+		// This takes write even
+		// though it's a read.
+		apiutil.ScopeWriteMedia,
+	)
+	if errWithCode != nil {
+		apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
 		return
 	}

--- a/internal/api/client/media/mediaupdate.go
+++ b/internal/api/client/media/mediaupdate.go
@ -105,9 +105,12 @@ func (m *Module) MediaPUTHandler(c *gin.Context) {
 		return
 	}

-	authed, err := apiutil.TokenAuth(c, true, true, true, true)
-	if err != nil {
-		apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1)
+	authed, errWithCode := apiutil.TokenAuth(c,
+		true, true, true, true,
+		apiutil.ScopeWriteMedia,
+	)
+	if errWithCode != nil {
+		apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
 		return
 	}