Page MenuHomePhabricator

Allow OAuth applications to be granted rights the user doesn't have
Open, LowPublic


If an OAuth application is granted right X, it will only be able to use it if the granting user have that right. In a few cases it would be useful to have some kind of "supergrant" where this limitation does not exist. The main use case is IP-related rights such as noratelimit or ipblock-exempt (which the user normally does not need and/or is not trusted with, but the application, while using its own IP, can run into problems the user would not).

Event Timeline

Tgr created this task.Aug 25 2015, 9:50 PM
Tgr raised the priority of this task from to Needs Triage.
Tgr updated the task description. (Show Details)
Tgr added a subscriber: Tgr.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 25 2015, 9:50 PM
Krenair added a subscriber: Krenair.

I would define this as a «setuid grant»

jayvdb added a subscriber: jayvdb.Oct 7 2015, 5:01 AM
Tgr triaged this task as Low priority.Mar 7 2017, 4:10 AM

Another would be Upload files from a URL (upload_by_url)

chasemp moved this task from Incoming to Back Orders on the Security-Team board.