2 files changed, 42 insertions, 6 deletions

diff --git a/test/plugs/oauth_scopes_plug_test.exs b/test/plugs/oauth_scopes_plug_test.exs
index f328026df..9b0a2e702 100644
--- a/test/plugs/oauth_scopes_plug_test.exs
+++ b/test/plugs/oauth_scopes_plug_test.exs
@@ -84,7 +84,8 @@ defmodule Pleroma.Plugs.OAuthScopesPlugTest do
     refute conn.assigns[:user]
   end
 
-  test "returns 403 and halts in case of no :fallback option and `token.scopes` not fulfilling specified 'any of' conditions",
+  test "returns 403 and halts " <>
+         "in case of no :fallback option and `token.scopes` not fulfilling specified 'any of' conditions",
        %{conn: conn} do
     token = insert(:oauth_token, scopes: ["read", "write"])
     any_of_scopes = ["follow"]
@@ -101,7 +102,8 @@ defmodule Pleroma.Plugs.OAuthScopesPlugTest do
     assert Jason.encode!(%{error: expected_error}) == conn.resp_body
   end
 
-  test "returns 403 and halts in case of no :fallback option and `token.scopes` not fulfilling specified 'all of' conditions",
+  test "returns 403 and halts " <>
+         "in case of no :fallback option and `token.scopes` not fulfilling specified 'all of' conditions",
        %{conn: conn} do
     token = insert(:oauth_token, scopes: ["read", "write"])
     all_of_scopes = ["write", "follow"]
@@ -119,4 +121,36 @@ defmodule Pleroma.Plugs.OAuthScopesPlugTest do
 
     assert Jason.encode!(%{error: expected_error}) == conn.resp_body
   end
+
+  describe "with hierarchical scopes, " do
+    test "proceeds with no op if `token.scopes` fulfill specified 'any of' conditions", %{
+      conn: conn
+    } do
+      token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
+
+      conn =
+        conn
+        |> assign(:user, token.user)
+        |> assign(:token, token)
+        |> OAuthScopesPlug.call(%{scopes: ["read:something"]})
+
+      refute conn.halted
+      assert conn.assigns[:user]
+    end
+
+    test "proceeds with no op if `token.scopes` fulfill specified 'all of' conditions", %{
+      conn: conn
+    } do
+      token = insert(:oauth_token, scopes: ["scope1", "scope2", "scope3"]) |> Repo.preload(:user)
+
+      conn =
+        conn
+        |> assign(:user, token.user)
+        |> assign(:token, token)
+        |> OAuthScopesPlug.call(%{scopes: ["scope1:subscope", "scope2:subscope"], op: :&})
+
+      refute conn.halted
+      assert conn.assigns[:user]
+    end
+  end
 end
diff --git a/test/web/twitter_api/util_controller_test.exs b/test/web/twitter_api/util_controller_test.exs
index cf8e69d2b..685e48270 100644
--- a/test/web/twitter_api/util_controller_test.exs
+++ b/test/web/twitter_api/util_controller_test.exs
@@ -78,19 +78,21 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
       assert response == "job started"
     end
 
-    test "requires 'follow' permission", %{conn: conn} do
+    test "requires 'follow' or 'write:follows' permissions", %{conn: conn} do
       token1 = insert(:oauth_token, scopes: ["read", "write"])
       token2 = insert(:oauth_token, scopes: ["follow"])
+      token3 = insert(:oauth_token, scopes: ["something"])
       another_user = insert(:user)
 
-      for token <- [token1, token2] do
+      for token <- [token1, token2, token3] do
         conn =
           conn
           |> put_req_header("authorization", "Bearer #{token.token}")
           |> post("/api/pleroma/follow_import", %{"list" => "#{another_user.ap_id}"})
 
-        if token == token1 do
-          assert %{"error" => "Insufficient permissions: follow."} == json_response(conn, 403)
+        if token == token3 do
+          assert %{"error" => "Insufficient permissions: follow | write:follows."} ==
+                   json_response(conn, 403)
         else
           assert json_response(conn, 200)
         end