-do not allow scope upgrades when refreshing - merchant - Merchant backend to process payments, run by merchants

commit 5d24900f8bccd02ada1808bed373d5ac832f825d
parent 5e2b19c64e2e8a3b84d82f1cf5c3c088e01b5c0c
Author: Christian Grothoff <grothoff@gnunet.org>
Date:   Wed,  6 Sep 2023 21:29:55 +0200

-do not allow scope upgrades when refreshing

Diffstat:
M src/backend/taler-merchant-httpd_private-post-instances-ID-token.c  | 8 ++++++++
M src/backenddb/versioning.sql  | 4 ----

2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/src/backend/taler-merchant-httpd_private-post-instances-ID-token.c b/src/backend/taler-merchant-httpd_private-post-instances-ID-token.c
@@ -91,6 +91,14 @@ TMH_private_post_instances_ID_token (const struct TMH_RequestHandler *rh,
   }
   if (refreshable)
     iscope |= TMH_AS_REFRESHABLE;
+  if (0 != (iscope & (~hc->auth_scope)))
+  {
+    /* more permissions requested for the new token, not allowed */
+    GNUNET_break_op (0);
+    return TALER_MHD_reply_with_ec (connection,
+                                    TALER_EC_GENERIC_TOKEN_PERMISSION_INSUFFICIENT,
+                                    NULL);
+  }
   qs = TMH_db->insert_login_token (TMH_db->cls,
                                    mi->settings.id,
                                    &btoken,
diff --git a/src/backenddb/versioning.sql b/src/backenddb/versioning.sql
@@ -146,10 +146,6 @@
 
 BEGIN;
 
--- Added by Christian Grothoff to support concurrency, see
--- https://stackoverflow.com/questions/29900845/create-schema-if-not-exists-raises-duplicate-key-error?rq=4
-LOCK TABLE pg_catalog.pg_namespace;
-
 
 -- This file adds versioning support to database it will be loaded to.
 -- It requires that PL/pgSQL is already loaded - will raise exception otherwise.

	merchant Merchant backend to process payments, run by merchants
	Log \| Files \| Refs \| Submodules \| README \| LICENSE

M	src/backend/taler-merchant-httpd_private-post-instances-ID-token.c	\|	8	++++++++
M	src/backenddb/versioning.sql	\|	4	----