From 9c02d6bd09f20bfbf85ba351d5ce0ab04067055f Mon Sep 17 00:00:00 2001
From: Ishank Arora <ishank011@gmail.com>
Date: Tue, 19 Apr 2022 16:06:17 +0200
Subject: [PATCH] Fix scope checks

---
 internal/grpc/interceptors/auth/scope.go | 34 ++++++++++++------------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/internal/grpc/interceptors/auth/scope.go b/internal/grpc/interceptors/auth/scope.go
index 1cf205a23f9..8ed85336293 100644
--- a/internal/grpc/interceptors/auth/scope.go
+++ b/internal/grpc/interceptors/auth/scope.go
@@ -64,15 +64,7 @@ func expandAndVerifyScope(ctx context.Context, req interface{}, tokenScope map[s
 		return err
 	}
 
-	highestRole := authpb.Role_ROLE_VIEWER
-	for _, v := range tokenScope {
-		if roleRankings[v.Role] > roleRankings[highestRole] {
-			highestRole = v.Role
-			break
-		}
-	}
-
-	if ref, ok := extractRef(req, highestRole); ok {
+	if ref, ok := extractRef(req, tokenScope); ok {
 		// The request is for a storage reference. This can be the case for multiple scenarios:
 		// - If the path is not empty, the request might be coming from a share where the accessor is
 		//   trying to impersonate the owner, since the share manager doesn't know the
@@ -295,22 +287,30 @@ func extractRefForUploaderRole(req interface{}) (*provider.Reference, bool) {
 
 }
 
-func extractRef(req interface{}, role authpb.Role) (*provider.Reference, bool) {
-	switch role {
-	case authpb.Role_ROLE_UPLOADER:
-		return extractRefForUploaderRole(req)
-	case authpb.Role_ROLE_VIEWER:
-		return extractRefForReaderRole(req)
-	default: // Owner or editor role
+func extractRef(req interface{}, tokenScope map[string]*authpb.Scope) (*provider.Reference, bool) {
+	var readPerm, editPerm bool
+	for _, v := range tokenScope {
+		if v.Role == authpb.Role_ROLE_OWNER || v.Role == authpb.Role_ROLE_EDITOR || v.Role == authpb.Role_ROLE_VIEWER {
+			readPerm = true
+		}
+		if v.Role == authpb.Role_ROLE_OWNER || v.Role == authpb.Role_ROLE_EDITOR || v.Role == authpb.Role_ROLE_UPLOADER {
+			editPerm = true
+		}
+	}
+
+	if readPerm {
 		ref, ok := extractRefForReaderRole(req)
 		if ok {
 			return ref, true
 		}
-		ref, ok = extractRefForUploaderRole(req)
+	}
+	if editPerm {
+		ref, ok := extractRefForUploaderRole(req)
 		if ok {
 			return ref, true
 		}
 	}
+
 	return nil, false
 }