[#1427] Extra check that admin OAuth scope is used by admin. Adjusted tests.

1 files changed, 13 insertions, 2 deletions

diff --git a/test/web/admin_api/admin_api_controller_test.exs b/test/web/admin_api/admin_api_controller_test.exs
index 2fc23ad6c..bcab63cf0 100644
--- a/test/web/admin_api/admin_api_controller_test.exs
+++ b/test/web/admin_api/admin_api_controller_test.exs
@@ -36,6 +36,7 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
     test "GET /api/pleroma/admin/users/:nickname requires admin:read:accounts or broader scope" do
       user = insert(:user)
       admin = insert(:user, is_admin: true)
+      url = "/api/pleroma/admin/users/#{user.nickname}"
 
       good_token1 = insert(:oauth_token, user: admin, scopes: ["admin"])
       good_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read"])
@@ -50,17 +51,27 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
           build_conn()
           |> assign(:user, admin)
           |> assign(:token, good_token)
-          |> get("/api/pleroma/admin/users/#{user.nickname}")
+          |> get(url)
 
         assert json_response(conn, 200)
       end
 
+      for good_token <- [good_token1, good_token2, good_token3] do
+        conn =
+          build_conn()
+          |> assign(:user, nil)
+          |> assign(:token, good_token)
+          |> get(url)
+
+        assert json_response(conn, :forbidden)
+      end
+
       for bad_token <- [bad_token1, bad_token2, bad_token3] do
         conn =
           build_conn()
           |> assign(:user, admin)
           |> assign(:token, bad_token)
-          |> get("/api/pleroma/admin/users/#{user.nickname}")
+          |> get(url)
 
         assert json_response(conn, :forbidden)
       end