fix scoping edge cases

app/controllers/api/v1/application_controller.rb

@@ -3,7 +3,7 @@ module API
     class ApplicationController < ActionController::API
       prepend_view_path "app/views/api/v1"
 
-      helper_method :current_identity, :current_program, :current_scopes, :acting_as_program
+      helper_method :current_identity, :current_program, :current_scopes, :acting_as_program, :identity_authorized_for_scope?
 
       attr_reader :current_identity
       attr_reader :current_program
@@ -22,6 +22,14 @@ module API
         render json: { error: e.message }, status: :bad_request
       end
 
+      def identity_authorized_for_scope?(identity, scope)
+        if current_identity
+          @current_token.scopes.include?(scope)
+        else
+          identity.access_tokens.to_a.any? { |t| t.application_id == current_program.id && t.scopes.include?(scope) }
+        end
+      end
+
       private
 
       def authenticate!
@@ -34,14 +42,15 @@ module API
         if @current_token.is_a?(OAuthToken)
           @current_identity = @current_token.resource_owner
           @current_program = @current_token.application
+          @current_scopes = @current_token.scopes
           unless @current_program&.active?
             return render json: { error: "invalid_auth" }, status: :unauthorized
           end
         else
           @acting_as_program = true
           @current_program = @current_token
+          @current_scopes = @current_program.scopes
         end
-        @current_scopes = @current_program.scopes
       end
     end
   end

app/controllers/api/v1/identities_controller.rb

@@ -9,7 +9,7 @@ module API
 
       def show
         raise Pundit::NotAuthorizedError unless acting_as_program
-        @identity = ident_scope.find_by_public_id!(params[:id])
+        @identity = ident_scope.includes(:access_tokens, :addresses, :verifications).find_by_public_id!(params[:id])
         render :show
       end
 
@@ -28,7 +28,7 @@ module API
 
       def index
         raise Pundit::NotAuthorizedError unless acting_as_program
-        @identities = ident_scope.all
+        @identities = ident_scope.all.includes(:access_tokens, :addresses, :verifications)
         render :index
       end
 

app/helpers/api/v1/application_helper.rb

@@ -1,6 +1,7 @@
 module API::V1::ApplicationHelper
-  def scope(scope, &)
+  def scope(scope, identity: nil, &)
     return unless current_scopes.include?(scope)
+    return unless identity.nil? || identity_authorized_for_scope?(identity, scope)
     yield
   end
 end

app/views/api/v1/identities/_identity.jb

@@ -2,12 +2,12 @@ ident = {
   id: identity.public_id
 }
 
-scope "verification_status" do
+scope "verification_status", identity: do
   ident[:ysws_eligible] = identity.ysws_eligible
   ident[:verification_status] = identity.verification_status
 end
 
-scope "basic_info" do
+scope "basic_info", identity: do
   ident[:first_name] = identity.first_name
   ident[:last_name] = identity.last_name
   ident[:primary_email] = identity.primary_email
@@ -22,25 +22,25 @@ scope "basic_info" do
   ident[:birthday] = identity.birthday
 end
 
-scope "email" do
+scope "email", identity: do
   ident[:primary_email] = identity.primary_email
 end
 
-scope "name" do
+scope "name", identity: do
   ident[:first_name] = identity.first_name
   ident[:last_name] = identity.last_name
 end
 
-scope "slack_id" do
+scope "slack_id", identity: do
   ident[:slack_id] = identity.slack_id
 end
 
-scope "legal_name" do
+scope "legal_name", identity: do
   ident[:legal_first_name] = identity.legal_first_name
   ident[:legal_last_name] = identity.legal_last_name
 end
 
-scope "address" do
+scope "address", identity: do
   ident[:addresses] = identity.addresses.map do |address|
     render address
   end