handle empty scope

Author: wxiaoguang

cmd/admin_user_create.go

@@ -212,6 +212,9 @@ func runCreateUser(c *cli.Context) error {
 		if err != nil {
 			return fmt.Errorf("invalid access token scope provided: %w", err)
 		}
+		if !accessTokenScope.HasPermissionScope() {
+			return errors.New("access token does not have any permission")
+		}
 		t.Scope = accessTokenScope
 
 		if err := auth_model.NewAccessToken(ctx, t); err != nil {

cmd/admin_user_create_test.go

@@ -95,10 +95,17 @@ func TestAdminUserCreate(t *testing.T) {
 
 		// using "--access-token-name" without "--access-token"
 		reset()
-		assert.ErrorContains(t, createUser("u", "--random-password --access-token-name new-token-name"), "access-token-name and access-token-scopes flags are only valid when access-token flag is set")
+		err = createUser("u", "--random-password --access-token-name new-token-name")
+		assert.ErrorContains(t, err, "access-token-name and access-token-scopes flags are only valid when access-token flag is set")
 
 		// using "--access-token-scopes" without "--access-token"
 		reset()
-		assert.ErrorContains(t, createUser("u", "--random-password --access-token-scopes read:issue"), "access-token-name and access-token-scopes flags are only valid when access-token flag is set")
+		err = createUser("u", "--random-password --access-token-scopes read:issue")
+		assert.ErrorContains(t, err, "access-token-name and access-token-scopes flags are only valid when access-token flag is set")
+
+		// empty permission
+		reset()
+		err = createUser("u", "--random-password --access-token --access-token-scopes public-only")
+		assert.ErrorContains(t, err, "access token does not have any permission")
 	})
 }

cmd/admin_user_generate_access_token.go

@@ -34,16 +34,16 @@ var microcmdUserGenerateAccessToken = &cli.Command{
 		},
 		&cli.StringFlag{
 			Name:  "scopes",
-			Value: "",
-			Usage: "Comma separated list of scopes to apply to access token",
+			Value: "all",
+			Usage: `Comma separated list of scopes to apply to access token, examples: "all", "public-only,read:issue", "write:repository,write:user"`,
 		},
 	},
 	Action: runGenerateAccessToken,
 }
 
 func runGenerateAccessToken(c *cli.Context) error {
 	if !c.IsSet("username") {
-		return errors.New("You must provide a username to generate a token for")
+		return errors.New("you must provide a username to generate a token for")
 	}
 
 	ctx, cancel := installSignals()
@@ -77,6 +77,9 @@ func runGenerateAccessToken(c *cli.Context) error {
 	if err != nil {
 		return fmt.Errorf("invalid access token scope provided: %w", err)
 	}
+	if !accessTokenScope.HasPermissionScope() {
+		return errors.New("access token does not have any permission")
+	}
 	t.Scope = accessTokenScope
 
 	// create the token

models/auth/access_token_scope.go

@@ -295,6 +295,10 @@ func (s AccessTokenScope) Normalize() (AccessTokenScope, error) {
 	return bitmap.toScope(), nil
 }
 
+func (s AccessTokenScope) HasPermissionScope() bool {
+	return s != "" && s != AccessTokenScopePublicOnly
+}
+
 // PublicOnly checks if this token scope is limited to public resources
 func (s AccessTokenScope) PublicOnly() (bool, error) {
 	bitmap, err := s.parse()

routers/web/user/setting/applications.go

@@ -54,7 +54,7 @@ func ApplicationsPost(ctx *context.Context) {
 		ctx.ServerError("GetScope", err)
 		return
 	}
-	if scope == "" || scope == auth_model.AccessTokenScopePublicOnly {
+	if !scope.HasPermissionScope() {
 		ctx.Flash.Error(ctx.Tr("settings.at_least_one_permission"), true)
 	}