Skip to content

Remove vestigial disavow:auth and clear:session from default authuser role #54

Description

@taylortom

Summary

The default authuser role definition grants disavow:auth and clear:session, but neither scope gates anything any more:

  • disavow:auth — the POST /api/auth/disavow route is being changed to authenticated-only (no scope requirement), since logging out is self-authorising.
  • clear:session — there is no handler registered for /api/session/clear; the scope guarded a route that never existed.

Both are now dead weight in the default role.

Fix

Remove disavow:auth and clear:session from the default authuser role's scopes in conf/config.schema.json.

Note

This only affects freshly-seeded installs; roles already seeded in a database keep the (now harmless, unused) scopes.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    Merged

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions