[#468] Added OAuth scopes-specific tests.

author: Ivan Tashkinov <ivantashkinov@gmail.com> 2019-02-19 22:28:21 +0300
committer: Ivan Tashkinov <ivantashkinov@gmail.com> 2019-02-19 22:28:21 +0300
commit: 04ee877a20a849db53a307a1736e635229129b7a (patch)
tree: 41cf21ea4adb798dcb33bb41d7fab5b15c5ce154 /test/web/twitter_api
parent: c0ecbf6669948740a091bdf5b5441fb6ee55f4fc (diff)
download: pleroma-04ee877a20a849db53a307a1736e635229129b7a.tar.gz
2 files changed, 37 insertions, 0 deletions
diff --git a/test/web/twitter_api/twitter_api_controller_test.exs b/test/web/twitter_api/twitter_api_controller_test.exs
index 1571ab68e..27b1e878c 100644
--- a/test/web/twitter_api/twitter_api_controller_test.exs
+++ b/test/web/twitter_api/twitter_api_controller_test.exs
@@ -1690,6 +1690,24 @@ defmodule Pleroma.Web.TwitterAPI.ControllerTest do
       assert [relationship] = json_response(conn, 200)
       assert other_user.id == relationship["id"]
     end
+
+    test "requires 'read' permission", %{conn: conn} do
+      token1 = insert(:oauth_token, scopes: ["write"])
+      token2 = insert(:oauth_token, scopes: ["read"])
+
+      for token <- [token1, token2] do
+        conn =
+          conn
+          |> put_req_header("authorization", "Bearer #{token.token}")
+          |> get("/api/pleroma/friend_requests")
+
+        if token == token1 do
+          assert %{"error" => "Insufficient permissions: read."} == json_response(conn, 403)
+        else
+          assert json_response(conn, 200)
+        end
+      end
+    end
   end
 
   describe "POST /api/pleroma/friendships/approve" do
diff --git a/test/web/twitter_api/util_controller_test.exs b/test/web/twitter_api/util_controller_test.exs
index 007d7d8e6..fc762ab18 100644
--- a/test/web/twitter_api/util_controller_test.exs
+++ b/test/web/twitter_api/util_controller_test.exs
@@ -16,6 +16,25 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
 
       assert response == "job started"
     end
+
+    test "requires 'follow' permission", %{conn: conn} do
+      token1 = insert(:oauth_token, scopes: ["read", "write"])
+      token2 = insert(:oauth_token, scopes: ["follow"])
+      another_user = insert(:user)
+
+      for token <- [token1, token2] do
+        conn =
+          conn
+          |> put_req_header("authorization", "Bearer #{token.token}")
+          |> post("/api/pleroma/follow_import", %{"list" => "#{another_user.ap_id}"})
+
+        if token == token1 do
+          assert %{"error" => "Insufficient permissions: follow."} == json_response(conn, 403)
+        else
+          assert json_response(conn, 200)
+        end
+      end
+    end
   end
 
   describe "POST /api/pleroma/blocks_import" do
author	Ivan Tashkinov <ivantashkinov@gmail.com>	2019-02-19 22:28:21 +0300
committer	Ivan Tashkinov <ivantashkinov@gmail.com>	2019-02-19 22:28:21 +0300
commit	04ee877a20a849db53a307a1736e635229129b7a (patch)
tree	41cf21ea4adb798dcb33bb41d7fab5b15c5ce154 /test/web/twitter_api
parent	c0ecbf6669948740a091bdf5b5441fb6ee55f4fc (diff)
download	pleroma-04ee877a20a849db53a307a1736e635229129b7a.tar.gz