[#1478] OAuth `admin` scopes tweaks
Adjusted AdminAPIController admin subscope requirements.
Allowed non-admins to obtain admin scopes (which won't allow to perform admin actions as long as users.is_admin
flag is false
).
Enforced OAuth admin scopes usage by default (set [:auth, :enforce_oauth_admin_scope_usage]
to true
). This allows admins to opt out of admin scopes for some [3rd-party] apps which would guarantee that no potentially destructive actions could be performed from those apps (without this setting such scenario is possible since only is_admin
flag is checked in this case). Note: PleromaFE and AdminFE versions not supporting admin
scope won't be able to access admin features with this setting — added a changelog entry advising users to use bundled or newer versions of FEs.
Migrated existing OAuth records.
Adjusted / improved tests.
Closes #1478 (closed)