2 files changed, 37 insertions, 0 deletions

diff --git a/test/web/twitter_api/twitter_api_controller_test.exs b/test/web/twitter_api/twitter_api_controller_test.exs
index 1571ab68e..27b1e878c 100644
--- a/test/web/twitter_api/twitter_api_controller_test.exs
+++ b/test/web/twitter_api/twitter_api_controller_test.exs
@@ -1690,6 +1690,24 @@ defmodule Pleroma.Web.TwitterAPI.ControllerTest do
       assert [relationship] = json_response(conn, 200)
       assert other_user.id == relationship["id"]
     end
+
+    test "requires 'read' permission", %{conn: conn} do
+      token1 = insert(:oauth_token, scopes: ["write"])
+      token2 = insert(:oauth_token, scopes: ["read"])
+
+      for token <- [token1, token2] do
+        conn =
+          conn
+          |> put_req_header("authorization", "Bearer #{token.token}")
+          |> get("/api/pleroma/friend_requests")
+
+        if token == token1 do
+          assert %{"error" => "Insufficient permissions: read."} == json_response(conn, 403)
+        else
+          assert json_response(conn, 200)
+        end
+      end
+    end
   end
 
   describe "POST /api/pleroma/friendships/approve" do
diff --git a/test/web/twitter_api/util_controller_test.exs b/test/web/twitter_api/util_controller_test.exs
index 007d7d8e6..fc762ab18 100644
--- a/test/web/twitter_api/util_controller_test.exs
+++ b/test/web/twitter_api/util_controller_test.exs
@@ -16,6 +16,25 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
 
       assert response == "job started"
     end
+
+    test "requires 'follow' permission", %{conn: conn} do
+      token1 = insert(:oauth_token, scopes: ["read", "write"])
+      token2 = insert(:oauth_token, scopes: ["follow"])
+      another_user = insert(:user)
+
+      for token <- [token1, token2] do
+        conn =
+          conn
+          |> put_req_header("authorization", "Bearer #{token.token}")
+          |> post("/api/pleroma/follow_import", %{"list" => "#{another_user.ap_id}"})
+
+        if token == token1 do
+          assert %{"error" => "Insufficient permissions: follow."} == json_response(conn, 403)
+        else
+          assert json_response(conn, 200)
+        end
+      end
+    end
   end
 
   describe "POST /api/pleroma/blocks_import" do