CMSgov · jimmyfagan · Nov 6, 2024 · Nov 6, 2024 · Nov 6, 2024 · loganbertram
diff --git a/apps/capabilities/permissions.py b/apps/capabilities/permissions.py
@@ -37,20 +37,15 @@ def has_permission(self, request, view):
                 slug__in=token_scopes
             ).values_list('protected_resources', flat=True).all())
 
-            # this is a shorterm fix to reject all tokens that do not have either
-            # patient/coverage.read or patient/ExplanationOfBenefit.read
-            if ("patient/Coverage.read" in token_scopes) or ("patient/ExplanationOfBenefit.read" in token_scopes):
-                for scope in scopes:
-                    for method, path in json.loads(scope):
-                        if method != request.method:
-                            continue
-                        if path == request.path:
-                            return True
-                        if re.fullmatch(path, request.path) is not None:
-                            return True
-                return False
-            else:
-                return False
+            for scope in scopes:
+                for method, path in json.loads(scope):
+                    if method != request.method:
+                        continue
+                    if path == request.path:
+                        return True
+                    if re.fullmatch(path, request.path) is not None:
+                        return True
+            return False
         else:
             # BB2-237: Replaces ASSERT with exception. We should never reach here.
             mesg = ("TokenHasScope requires the `oauth2_provider.rest_framework.OAuth2Authentication`"

diff --git a/apps/capabilities/tests.py b/apps/capabilities/tests.py
@@ -1,5 +1,4 @@
 import json
-import unittest
 
 from django.contrib.auth.models import Group
 from django.test import TestCase
@@ -41,7 +40,6 @@ def setUp(self):
             protected_resources=json.dumps([["POST", "/path"]]),
         )
 
-    @unittest.skip("Broke with quick fix")
     def test_request_is_protected(self):
         request = SimpleRequest("scope")
         request.method = "GET"

diff --git a/apps/dot_ext/forms.py b/apps/dot_ext/forms.py
@@ -335,7 +335,7 @@ def clean(self):
             scope = ""
 
         # Remove demographic information scopes, if beneficiary is not sharing
-        if cleaned_data.get("share_demographic_scopes") == "False":
+        if cleaned_data.get("share_demographic_scopes") != "True":
             cleaned_data["scope"] = " ".join(
                 [
                     s

diff --git a/apps/dot_ext/tests/demographic_scopes_test_cases.py b/apps/dot_ext/tests/demographic_scopes_test_cases.py
@@ -181,7 +181,7 @@
         "request_scopes": APPLICATION_SCOPES_FULL,
         # Result:
         "result_has_error": False,
-        "result_token_scopes_granted": APPLICATION_SCOPES_FULL,
+        "result_token_scopes_granted": APPLICATION_SCOPES_NON_DEMOGRAPHIC,
         "result_access_token_count": 1,
         "result_refresh_token_count": 1,
         "result_archived_token_count": 0,
@@ -221,7 +221,7 @@
         "request_scopes": APPLICATION_SCOPES_FULL,
         # Result:
         "result_has_error": False,
-        "result_token_scopes_granted": APPLICATION_SCOPES_FULL,
+        "result_token_scopes_granted": APPLICATION_SCOPES_NON_DEMOGRAPHIC,
         "result_access_token_count": 3,
         "result_refresh_token_count": 3,
         "result_archived_token_count": 1,
@@ -314,7 +314,7 @@
         "request_scopes": SCOPES_JUST_PATIENT_AND_A,
         # Result:
         "result_has_error": False,
-        "result_token_scopes_granted": SCOPES_JUST_PATIENT_AND_A,
+        "result_token_scopes_granted": SCOPES_JUST_A,
         "result_access_token_count": 3,
         "result_refresh_token_count": 3,
         "result_archived_token_count": 8,

diff --git a/apps/dot_ext/tests/test_views.py b/apps/dot_ext/tests/test_views.py
@@ -1,6 +1,5 @@
 import json
 import base64
-import unittest
 from datetime import date, timedelta
 
 from django.conf import settings
@@ -163,20 +162,8 @@ def test_post_with_restricted_scopes_issues_token_with_same_scopes(self):
         # and here we test that only the capability-a scope has been issued
         self.assertEqual(content["scope"], "capability-a")
 
-    @unittest.skip("Broke with quick fix")
-    def test_post_with_share_demographic_scopes(self):
-        # Test with-out new_auth switch
-        self.testing_post_with_share_demographic_scopes()
-
-    @unittest.skip("Broke with quick fix")
-    @override_switch("new_auth", active=True)
-    def test_post_with_share_demographic_scopes_new_auth_switch(self):
-        # Test with new_auth switch.
-        self.testing_post_with_share_demographic_scopes()
-
-    @unittest.skip("Broke with quick fix")
     @override_switch("require-scopes", active=True)
-    def testing_post_with_share_demographic_scopes(self):
+    def test_post_with_share_demographic_scopes(self):
         """
         Test authorization related to different, beneficiary "share_demographic_scopes",
         application.require_demographic_scopes, and requested scopes values.