From e504f4d028865f4cfc112c19f637789f405a39e6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Du=C5=A1an=20Baran?= <work.dusanbaran@gmail.com>
Date: Fri, 2 Feb 2018 18:12:09 +0100
Subject: [PATCH] Check token scope when creating new tokens from it

* Fix token creation handeling

* Update RequestManagerUser.cc
---
 src/rm/RequestManagerUser.cc | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/rm/RequestManagerUser.cc b/src/rm/RequestManagerUser.cc
index 29c3e12304..03901f64a1 100644
--- a/src/rm/RequestManagerUser.cc
+++ b/src/rm/RequestManagerUser.cc
@@ -503,7 +503,7 @@ void UserLogin::request_execute(xmlrpc_c::paramList const& paramList,
     }
     else if (valid > 0 || valid == -1)
     {
-        if ( egid != -1 && !user->is_in_group(egid) )
+        if ( egid != -1 && (!user->is_in_group(egid) || att.group_ids.count(egid) == 0) )
         {
             att.resp_msg = "EGID is not in user group list";
             failure_response(XML_RPC_API,  att);
@@ -512,6 +512,15 @@ void UserLogin::request_execute(xmlrpc_c::paramList const& paramList,
             return;
         }
 
+        if ( egid == -1 && user->get_groups() != att.group_ids )
+        {
+            att.resp_msg = "Cannot request unscoped token from scoped token";
+            failure_response(XML_RPC_API,  att);
+
+            user->unlock();
+            return;
+        }
+
         if ( user->login_tokens.set(token, valid, egid) != 0 )
         {
             att.resp_msg = "Max number of tokens limit reached.";