From 14e44d2b23f1a7a5b13d287f866b8a59b910bd62 Mon Sep 17 00:00:00 2001
From: "Guillaume S." <me@gsvd.dev>
Date: Sat, 22 Feb 2025 23:13:56 -0500
Subject: [PATCH] Fix pre-complete PAT permissions

---
 routers/web/user/setting/applications.go      |   9 ++
 templates/user/settings/applications.tmpl     |   1 +
 .../components/ScopedAccessTokenSelector.vue  | 114 +++++++++++++++---
 web_src/js/features/scoped-access-token.ts    |   1 +
 4 files changed, 107 insertions(+), 18 deletions(-)

diff --git a/routers/web/user/setting/applications.go b/routers/web/user/setting/applications.go
index cf71d01dc1624..5a8d9f444f064 100644
--- a/routers/web/user/setting/applications.go
+++ b/routers/web/user/setting/applications.go
@@ -5,6 +5,7 @@
 package setting
 
 import (
+	"encoding/json"
 	"net/http"
 
 	auth_model "code.gitea.io/gitea/models/auth"
@@ -42,6 +43,14 @@ func ApplicationsPost(ctx *context.Context) {
 	if ctx.HasError() {
 		loadApplicationsData(ctx)
 
+		// Send back the previously selected scopes as a JSON string
+		scopes, err := json.Marshal(form.Scope)
+		if err != nil {
+			ctx.ServerError("json.Marshal", err)
+			return
+		}
+		ctx.Data["Scopes"] = string(scopes)
+
 		ctx.HTML(http.StatusOK, tplSettingsApplications)
 		return
 	}
diff --git a/templates/user/settings/applications.tmpl b/templates/user/settings/applications.tmpl
index 31d1a2ac5b277..382f9740692fc 100644
--- a/templates/user/settings/applications.tmpl
+++ b/templates/user/settings/applications.tmpl
@@ -82,6 +82,7 @@
 						data-no-access-label="{{ctx.Locale.Tr "settings.permission_no_access"}}"
 						data-read-label="{{ctx.Locale.Tr "settings.permission_read"}}"
 						data-write-label="{{ctx.Locale.Tr "settings.permission_write"}}"
+						data-scopes="{{.Scopes}}"
 						data-locale-component-failed-to-load="{{ctx.Locale.Tr "graphs.component_failed_to_load"}}"
 					>
 					</div>
diff --git a/web_src/js/components/ScopedAccessTokenSelector.vue b/web_src/js/components/ScopedAccessTokenSelector.vue
index 9eaf8240358a5..c4801eea06416 100644
--- a/web_src/js/components/ScopedAccessTokenSelector.vue
+++ b/web_src/js/components/ScopedAccessTokenSelector.vue
@@ -7,23 +7,104 @@ const props = defineProps<{
   noAccessLabel: string;
   readLabel: string;
   writeLabel: string;
+  scopes: string[];
 }>();
 
 const categories = computed(() => {
-  const categories = [
-    'activitypub',
-  ];
+  const categories = {
+    'activitypub': {
+      read: {
+        value: 'read:activitypub',
+        selected: props.scopes.includes('read:activitypub'),
+      },
+      write: {
+        value: 'write:activitypub',
+        selected: props.scopes.includes('write:activitypub'),
+      },
+    },
+  };
   if (props.isAdmin) {
-    categories.push('admin');
+    categories['admin'] = {
+      read: {
+        value: 'read:admin',
+        selected: props.scopes.includes('read:admin'),
+      },
+      write: {
+        value: 'write:admin',
+        selected: props.scopes.includes('write:admin'),
+      },
+    };
   }
-  categories.push(
-    'issue',
-    'misc',
-    'notification',
-    'organization',
-    'package',
-    'repository',
-    'user');
+  categories['issue'] = {
+    read: {
+      value: 'read:issue',
+      selected: props.scopes.includes('read:issue'),
+    },
+    write: {
+      value: 'write:issue',
+      selected: props.scopes.includes('write:issue'),
+    },
+  };
+  categories['misc'] = {
+    read: {
+      value: 'read:misc',
+      selected: props.scopes.includes('read:misc'),
+    },
+    write: {
+      value: 'write:misc',
+      selected: props.scopes.includes('write:misc'),
+    },
+  };
+  categories['notification'] = {
+    read: {
+      value: 'read:notification',
+      selected: props.scopes.includes('read:notification'),
+    },
+    write: {
+      value: 'write:notification',
+      selected: props.scopes.includes('write:notification'),
+    },
+  };
+  categories['organization'] = {
+    read: {
+      value: 'read:organization',
+      selected: props.scopes.includes('read:organization'),
+    },
+    write: {
+      value: 'write:organization',
+      selected: props.scopes.includes('write:organization'),
+    },
+  };
+  categories['package'] = {
+    read: {
+      value: 'read:package',
+      selected: props.scopes.includes('read:package'),
+    },
+    write: {
+      value: 'write:package',
+      selected: props.scopes.includes('write:package'),
+    },
+  };
+  categories['repository'] = {
+    read: {
+      value: 'read:repository',
+      selected: props.scopes.includes('read:repository'),
+    },
+    write: {
+      value: 'write:repository',
+      selected: props.scopes.includes('write:repository'),
+    },
+  };
+  categories['user'] = {
+    read: {
+      value: 'read:user',
+      selected: props.scopes.includes('read:user'),
+    },
+    write: {
+      value: 'write:user',
+      selected: props.scopes.includes('write:user'),
+    },
+  };
   return categories;
 });
 
@@ -56,7 +137,7 @@ function onClickSubmit(e: Event) {
 </script>
 
 <template>
-  <div v-for="category in categories" :key="category" class="field tw-pl-1 tw-pb-1 access-token-category">
+  <div v-for="(permissions, category) in categories" :key="category" class="field tw-pl-1 tw-pb-1 access-token-category">
     <label class="category-label" :for="'access-token-scope-' + category">
       {{ category }}
     </label>
@@ -69,11 +150,8 @@ function onClickSubmit(e: Event) {
         <option value="">
           {{ noAccessLabel }}
         </option>
-        <option :value="'read:' + category">
-          {{ readLabel }}
-        </option>
-        <option :value="'write:' + category">
-          {{ writeLabel }}
+        <option v-for="(permission, action) in permissions" :key="permission.value" :value="permission.value" :selected="permission.selected">
+          {{ action === 'read' ? readLabel : writeLabel }}
         </option>
       </select>
     </div>
diff --git a/web_src/js/features/scoped-access-token.ts b/web_src/js/features/scoped-access-token.ts
index c498d4c0111d0..dae1d873866e5 100644
--- a/web_src/js/features/scoped-access-token.ts
+++ b/web_src/js/features/scoped-access-token.ts
@@ -11,6 +11,7 @@ export async function initScopedAccessTokenCategories() {
       noAccessLabel: el.getAttribute('data-no-access-label'),
       readLabel: el.getAttribute('data-read-label'),
       writeLabel: el.getAttribute('data-write-label'),
+      scopes: JSON.parse(el.getAttribute('data-scopes')),
     });
     View.mount(el);
   } catch (err) {