From 7757aaef6a944925eccba4c624eeac76816a8c11 Mon Sep 17 00:00:00 2001
From: Revant Nandgaonkar <revant@users.noreply.github.com>
Date: Mon, 14 Nov 2016 12:05:47 +0530
Subject: [PATCH] [Fix] oauth url delimiter moved to function instead of global
 (#2305)

* [Fix] oauth url delimiter moved to function instead of global

* [Fix] renamed oauth_url_delimiter to get_url_delimiter
---
 frappe/api.py   |  3 ++-
 frappe/oauth.py | 17 +++++++++--------
 2 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/frappe/api.py b/frappe/api.py
index afdc3b8630..0b620bd0b1 100644
--- a/frappe/api.py
+++ b/frappe/api.py
@@ -129,6 +129,7 @@ def handle():
 	return build_response("json")
 
 def validate_oauth():
+	from frappe.oauth import get_url_delimiter
 	form_dict = frappe.local.form_dict
 	authorization_header = frappe.get_request_header("Authorization").split(" ") if frappe.get_request_header("Authorization") else None
 	if authorization_header and authorization_header[0].lower() == "bearer":
@@ -142,7 +143,7 @@ def validate_oauth():
 		body = r.get_data()
 		headers = r.headers
 
-		required_scopes = frappe.db.get_value("OAuth Bearer Token", token, "scopes").split(";")
+		required_scopes = frappe.db.get_value("OAuth Bearer Token", token, "scopes").split(get_url_delimiter())
 
 		valid, oauthlib_request = get_oauth_server().verify_request(uri, http_method, body, headers, required_scopes)
 
diff --git a/frappe/oauth.py b/frappe/oauth.py
index fe95bba2b1..89f00c41a6 100644
--- a/frappe/oauth.py
+++ b/frappe/oauth.py
@@ -11,7 +11,8 @@ from oauthlib.oauth2.rfc6749.endpoints.resource import ResourceEndpoint
 from oauthlib.oauth2.rfc6749.endpoints.revocation import RevocationEndpoint
 from oauthlib.common import Request
 
-separated_by = " "
+def get_url_delimiter(separator_character=" "):
+	return separator_character
 
 class WebApplicationServer(AuthorizationEndpoint, TokenEndpoint, ResourceEndpoint,
 						   RevocationEndpoint):
@@ -76,7 +77,7 @@ class OAuthWebRequestValidator(RequestValidator):
 		# Is the client allowed to use the supplied redirect_uri? i.e. has
 		# the client previously registered this EXACT redirect uri.
 
-		redirect_uris = frappe.db.get_value("OAuth Client", client_id, 'redirect_uris').split(separated_by)
+		redirect_uris = frappe.db.get_value("OAuth Client", client_id, 'redirect_uris').split(get_url_delimiter())
 
 		if redirect_uri in redirect_uris:
 			return True
@@ -92,7 +93,7 @@ class OAuthWebRequestValidator(RequestValidator):
 
 	def validate_scopes(self, client_id, scopes, client, request, *args, **kwargs):
 		# Is the client allowed to access the requested scopes?
-		client_scopes = frappe.db.get_value("OAuth Client", client_id, 'scopes').split(separated_by)
+		client_scopes = frappe.db.get_value("OAuth Client", client_id, 'scopes').split(get_url_delimiter())
 
 		are_scopes_valid = True
 
@@ -104,7 +105,7 @@ class OAuthWebRequestValidator(RequestValidator):
 	def get_default_scopes(self, client_id, request, *args, **kwargs):
 		# Scopes a client will authorize for if none are supplied in the
 		# authorization request.
-		scopes = frappe.db.get_value("OAuth Client", client_id, 'scopes').split(separated_by)
+		scopes = frappe.db.get_value("OAuth Client", client_id, 'scopes').split(get_url_delimiter())
 		request.scopes = scopes #Apparently this is possible.
 		return scopes
 
@@ -126,7 +127,7 @@ class OAuthWebRequestValidator(RequestValidator):
 		cookie_dict = get_cookie_dict_from_headers(request)
 
 		oac = frappe.new_doc('OAuth Authorization Code')
-		oac.scopes = separated_by.join(request.scopes)
+		oac.scopes = get_url_delimiter().join(request.scopes)
 		oac.redirect_uri_bound_to_authorization_code = request.redirect_uri
 		oac.client = client_id
 		oac.user = urllib.unquote(cookie_dict['user_id'])
@@ -176,7 +177,7 @@ class OAuthWebRequestValidator(RequestValidator):
 			checkcodes.append(vcode["name"])
 
 		if code in checkcodes:
-			request.scopes = frappe.db.get_value("OAuth Authorization Code", code, 'scopes').split(separated_by)
+			request.scopes = frappe.db.get_value("OAuth Authorization Code", code, 'scopes').split(get_url_delimiter())
 			request.user = frappe.db.get_value("OAuth Authorization Code", code, 'user')
 			return True
 		else:
@@ -202,7 +203,7 @@ class OAuthWebRequestValidator(RequestValidator):
 		otoken = frappe.new_doc("OAuth Bearer Token")
 		otoken.client = request.client['name']
 		otoken.user = request.user
-		otoken.scopes = separated_by.join(request.scopes)
+		otoken.scopes = get_url_delimiter().join(request.scopes)
 		otoken.access_token = token['access_token']
 		otoken.refresh_token = token['refresh_token']
 		otoken.expires_in = token['expires_in']
@@ -226,7 +227,7 @@ class OAuthWebRequestValidator(RequestValidator):
 		otoken = frappe.get_doc("OAuth Bearer Token", token) #{"access_token": str(token)})
 		is_token_valid = (frappe.utils.datetime.datetime.now() < otoken.expiration_time) \
 			and otoken.status != "Revoked"
-		client_scopes = frappe.db.get_value("OAuth Client", otoken.client, 'scopes').split(separated_by)
+		client_scopes = frappe.db.get_value("OAuth Client", otoken.client, 'scopes').split(get_url_delimiter())
 		are_scopes_valid = True
 		for scp in scopes:
 			are_scopes_valid = are_scopes_valid and True if scp in client_scopes else False