When verifying scopes, manually include scopes from `API::API`.

- They are not included automatically since `API::Users` does not inherit from
  `API::API`, as I initially assumed.

- Scopes declared in `API::API` are considered global (to the API), and need to
  be included in all cases.

1 files changed, 19 insertions, 4 deletions

diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index c69e7afea8c..5c0b82587ab 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -340,12 +340,10 @@ module API
     end
 
     def initial_current_user
-      endpoint_class = options[:for].presence || ::API::API
-
       return @initial_current_user if defined?(@initial_current_user)
       Gitlab::Auth::UniqueIpsLimiter.limit_user! do
-        @initial_current_user ||= find_user_by_private_token(scopes: endpoint_class.scopes)
-        @initial_current_user ||= doorkeeper_guard(scopes: endpoint_class.scopes)
+        @initial_current_user ||= find_user_by_private_token(scopes: scopes_registered_for_endpoint)
+        @initial_current_user ||= doorkeeper_guard(scopes: scopes_registered_for_endpoint)
         @initial_current_user ||= find_user_from_warden
 
         unless @initial_current_user && Gitlab::UserAccess.new(@initial_current_user).allowed?
@@ -409,5 +407,22 @@ module API
 
       exception.status == 500
     end
+
+    # An array of scopes that were registered (using `allow_access_with_scope`)
+    # for the current endpoint class. It also returns scopes registered on
+    # `API::API`, since these are meant to apply to all API routes.
+    def scopes_registered_for_endpoint
+      @scopes_registered_for_endpoint ||=
+        begin
+          endpoint_classes = [options[:for].presence, ::API::API].compact
+          endpoint_classes.reduce([]) do |memo, endpoint|
+            if endpoint.respond_to?(:scopes)
+              memo.concat(endpoint.scopes)
+            else
+              memo
+            end
+          end
+        end
+    end
   end
 end