FEATURE: user API now contains scopes so permission is granular

previously we supported blanket read and write for user API, this
change amends it so we can define more limited scopes. A scope only
covers a few routes. You can not grant access to part of the site and
leave a large amount of the information hidden to API consumer.

app/controllers/user_api_keys_controller.rb

@@ -6,7 +6,7 @@ class UserApiKeysController < ApplicationController
   skip_before_filter :check_xhr, :preload_json
   before_filter :ensure_logged_in, only: [:create, :revoke, :undo_revoke]
 
-  AUTH_API_VERSION ||= 1
+  AUTH_API_VERSION ||= 2
 
   def new
 
@@ -34,14 +34,14 @@ class UserApiKeysController < ApplicationController
       return
     end
 
-    @access_description = params[:access].include?("w") ? t("user_api_key.read_write") : t("user_api_key.read")
     @application_name = params[:application_name]
     @public_key = params[:public_key]
     @nonce = params[:nonce]
-    @access = params[:access]
     @client_id = params[:client_id]
     @auth_redirect = params[:auth_redirect]
     @push_url = params[:push_url]
+    @localized_scopes = params[:scopes].split(",").map{|s| I18n.t("user_api_key.scopes.#{s}")}
+    @scopes = params[:scopes]
 
   rescue Discourse::InvalidAccess
     @generic_error = true
@@ -60,10 +60,6 @@ class UserApiKeysController < ApplicationController
 
     raise Discourse::InvalidAccess unless meets_tl?
 
-    request_read = params[:access].include? 'r'
-    request_read ||= params[:access].include? 'p'
-    request_write = params[:access].include? 'w'
-
     validate_params
 
     # destroy any old keys we had
@@ -72,12 +68,10 @@ class UserApiKeysController < ApplicationController
     key = UserApiKey.create!(
       application_name: params[:application_name],
       client_id: params[:client_id],
-      read: request_read,
-      push: params[:push_url].present?,
       user_id: current_user.id,
-      write: request_write,
+      push_url: params[:push_url],
       key: SecureRandom.hex,
-      push_url: params[:push_url]
+      scopes: params[:scopes].split(",")
     )
 
     # we keep the payload short so it encrypts easily with public key
@@ -85,7 +79,8 @@ class UserApiKeysController < ApplicationController
     payload = {
       key: key.key,
       nonce: params[:nonce],
-      access: key.access
+      push: key.has_push?,
+      api: AUTH_API_VERSION
     }.to_json
 
     public_key = OpenSSL::PKey::RSA.new(params[:public_key])
@@ -100,7 +95,7 @@ class UserApiKeysController < ApplicationController
     if current_key = request.env['HTTP_USER_API_KEY']
       request_key = UserApiKey.find_by(key: current_key)
       revoke_key ||= request_key
-      if request_key && request_key.id != revoke_key.id && !request_key.write
+      if request_key && request_key.id != revoke_key.id && !request_key.scopes.include?("write")
         raise Discourse::InvalidAccess
       end
     end
@@ -127,7 +122,7 @@ class UserApiKeysController < ApplicationController
     [
      :public_key,
      :nonce,
-     :access,
+     :scopes,
      :client_id,
      :auth_redirect,
      :application_name
@@ -135,13 +130,9 @@ class UserApiKeysController < ApplicationController
   end
 
   def validate_params
-    request_read = params[:access].include? 'r'
-    request_read ||= params[:access].include? 'p'
-    request_write = params[:access].include? 'w'
+    requested_scopes = Set.new(params[:scopes].split(","))
 
-    raise Discourse::InvalidAccess unless request_read || request_push
-    raise Discourse::InvalidAccess if request_read && !SiteSetting.allow_read_user_api_keys
-    raise Discourse::InvalidAccess if request_write && !SiteSetting.allow_write_user_api_keys
+    raise Discourse::InvalidAccess unless UserApiKey.allowed_scopes.superset?(requested_scopes)
 
     # our pk has got to parse
     OpenSSL::PKey::RSA.new(params[:public_key])