Closed ibpavlov closed 6 years ago
I agree with you. Actually, the problem came from Laravel Passport. With Laravel Passport a valid user can create access_token with any valid scopes. That's why I had to do that hack. You can see people already talking about this issue. https://stackoverflow.com/questions/39436509/laravel-passport-scopes. I'm open for your solutions.
I think that using scopes for "Basic" and "Admin" user roles is incorrect. Scopes are really just the permissions for the current user. So if I am a Basic user I will never have to use the Admin scope. Maybe if I am an Admin and I have a Basic scope this will mean that I can only access my files, profile and just personal records, not all of them. With scopes, you restrict the access of the token for a given user.
You have a check in
accessToken
controller for the scope, but it could be easily passed if some makes a request directly to/oauth/token
. And also you cannot give extra scopes this way.If you agree with me I could try to make a Pull Request with my versions of scopes when I have time..