From 262c905a97bacd45707f161c46c927422f5860ae Mon Sep 17 00:00:00 2001
From: "Ruben S. Montero" <rsmontero@opennebula.systems>
Date: Tue, 5 Feb 2019 10:48:07 +0100
Subject: [PATCH] B #2843: Allow administrator to create scope tokens in any
 group

---
 src/rm/RequestManagerUser.cc | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/rm/RequestManagerUser.cc b/src/rm/RequestManagerUser.cc
index fd09a36a54..8f0bc6a701 100644
--- a/src/rm/RequestManagerUser.cc
+++ b/src/rm/RequestManagerUser.cc
@@ -493,7 +493,14 @@ void UserLogin::request_execute(xmlrpc_c::paramList const& paramList,
     }
     else if (valid > 0 || valid == -1)
     {
-        if ( egid != -1 && (!user->is_in_group(egid) || att.group_ids.count(egid) == 0) )
+        /**
+         * Scoped token checks
+         * 1. user is in the target group
+         * 2. Authenticated groups for the user include the target group
+         * 3. user is not oneadmin or admin group
+         */
+        if ( egid != -1 && !att.is_admin() && ( !user->is_in_group(egid) ||
+                    att.group_ids.count(egid) == 0) )
         {
             att.resp_msg = "EGID is not in user group list";
             failure_response(XML_RPC_API,  att);