#6846 OAuth improvement: reduce token rights

unreleased
open
nobody
None
General
nobody
2015-01-30
2013-11-05
Cory Johns
No

We should be able to optionally assign a specific (named?) ProjectRole to an OAuthAccessToken to restrict its access level instead of always giving the full permissions of the user that created it. Since the token is currently used to set the user in the session, we'll need to override the ProjectRole returned for that user somehow, for the duration of the request.

Discussion