[#1427] Reworked admin scopes support.

Requalified users.is_admin flag as legacy accessor to admin actions in case token lacks admin scope(s).

2 files changed, 13 insertions, 1 deletions

diff --git a/config/config.exs b/config/config.exs
index bf2b3f6e2..64397484e 100644
--- a/config/config.exs
+++ b/config/config.exs
@@ -560,7 +560,10 @@ config :ueberauth,
        base_path: "/oauth",
        providers: ueberauth_providers
 
-config :pleroma, :auth, oauth_consumer_strategies: oauth_consumer_strategies
+config :pleroma,
+       :auth,
+       enforce_oauth_admin_scope_usage: false,
+       oauth_consumer_strategies: oauth_consumer_strategies
 
 config :pleroma, Pleroma.Emails.Mailer, adapter: Swoosh.Adapters.Sendmail, enabled: false
 
diff --git a/config/description.exs b/config/description.exs
index 70e963399..45e4b43f1 100644
--- a/config/description.exs
+++ b/config/description.exs
@@ -2095,6 +2095,15 @@ config :pleroma, :config_description, [
     description: "Authentication / authorization settings",
     children: [
       %{
+        key: :enforce_oauth_admin_scope_usage,
+        type: :boolean,
+        description:
+          "OAuth admin scope requirement toggle. " <>
+            "If `true`, admin actions explicitly demand admin OAuth scope(s) presence in OAuth token " <>
+            "(client app must support admin scopes). If `false` and token doesn't have admin scope(s)," <>
+            "`is_admin` user flag grants access to admin-specific actions."
+      },
+      %{
         key: :auth_template,
         type: :string,
         description: