diff options
| author | kaniini <nenolod@gmail.com> | 2018-12-06 07:36:21 +0000 |
|---|---|---|
| committer | kaniini <nenolod@gmail.com> | 2018-12-06 07:36:21 +0000 |
| commit | ccf0b46dd6a0390a06847b4a1c3eedc8d8e6c916 (patch) | |
| tree | ff377034c4c91bf34e56220fd23a121d9f983942 /test/web/twitter_api/twitter_api_controller_test.exs | |
| parent | 48a03156465ec5c653101a57d4c899d0c6ffe1cf (diff) | |
| parent | 3e90f688f14310e92fe9343f2680c58d74f71cb6 (diff) | |
| download | pleroma-ccf0b46dd6a0390a06847b4a1c3eedc8d8e6c916.tar.gz pleroma-ccf0b46dd6a0390a06847b4a1c3eedc8d8e6c916.zip | |
Merge branch '210_twitter_api_uploads_alt_text' into 'develop'
[#210] TwitterAPI: alt text support for uploaded images. Mastodon API uploads security fix.
See merge request pleroma/pleroma!496
Diffstat (limited to 'test/web/twitter_api/twitter_api_controller_test.exs')
| -rw-r--r-- | test/web/twitter_api/twitter_api_controller_test.exs | 78 |
1 files changed, 78 insertions, 0 deletions
diff --git a/test/web/twitter_api/twitter_api_controller_test.exs b/test/web/twitter_api/twitter_api_controller_test.exs index a8a9da781..4119d1dd8 100644 --- a/test/web/twitter_api/twitter_api_controller_test.exs +++ b/test/web/twitter_api/twitter_api_controller_test.exs @@ -1376,4 +1376,82 @@ defmodule Pleroma.Web.TwitterAPI.ControllerTest do assert [user.id, user_two.id, user_three.id] == Enum.map(resp, fn %{"id" => id} -> id end) end end + + describe "POST /api/media/upload" do + setup context do + Pleroma.DataCase.ensure_local_uploader(context) + end + + test "it performs the upload and sets `data[actor]` with AP id of uploader user", %{ + conn: conn + } do + user = insert(:user) + + upload_filename = "test/fixtures/image_tmp.jpg" + File.cp!("test/fixtures/image.jpg", upload_filename) + + file = %Plug.Upload{ + content_type: "image/jpg", + path: Path.absname(upload_filename), + filename: "image.jpg" + } + + response = + conn + |> assign(:user, user) + |> put_req_header("content-type", "application/octet-stream") + |> post("/api/media/upload", %{ + "media" => file + }) + |> json_response(:ok) + + assert response["media_id"] + object = Repo.get(Object, response["media_id"]) + assert object + assert object.data["actor"] == User.ap_id(user) + end + end + + describe "POST /api/media/metadata/create" do + setup do + object = insert(:note) + user = User.get_by_ap_id(object.data["actor"]) + %{object: object, user: user} + end + + test "it returns :forbidden status on attempt to modify someone else's upload", %{ + conn: conn, + object: object + } do + initial_description = object.data["name"] + another_user = insert(:user) + + conn + |> assign(:user, another_user) + |> post("/api/media/metadata/create", %{"media_id" => object.id}) + |> json_response(:forbidden) + + object = Repo.get(Object, object.id) + assert object.data["name"] == initial_description + end + + test "it updates `data[name]` of referenced Object with provided value", %{ + conn: conn, + object: object, + user: user + } do + description = "Informative description of the image. Initial value: #{object.data["name"]}}" + + conn + |> assign(:user, user) + |> post("/api/media/metadata/create", %{ + "media_id" => object.id, + "alt_text" => %{"text" => description} + }) + |> json_response(:no_content) + + object = Repo.get(Object, object.id) + assert object.data["name"] == description + end + end end |