Skip to content

[BUGFIX] Respect requested scope for extension restriction

Previously, the extension restriction was automatically
skipped if the current fe_user had either the admin or
reviewer user group assigned. This however prevented
such users to restrict tokens to a subset of their extensions
it they just wanted a token for their personal use.

This is now fixed. The restriction process is now only
skipped if such user also requests the extension:admin
or extension:review scope for the token to be created,
since this indicates that the token should be used as a
so called "controller" token.

Closes #496 (closed)

Edited by Oliver Bartsch

Merge request reports