3 files changed, 175 insertions, 8 deletions

diff --git a/test/plugs/legacy_authentication_plug_test.exs b/test/plugs/legacy_authentication_plug_test.exs
index 302662797..8b0b06772 100644
--- a/test/plugs/legacy_authentication_plug_test.exs
+++ b/test/plugs/legacy_authentication_plug_test.exs
@@ -47,16 +47,18 @@ defmodule Pleroma.Plugs.LegacyAuthenticationPlugTest do
       |> assign(:auth_user, user)
 
     conn =
-      with_mock User,
-        reset_password: fn user, %{password: password, password_confirmation: password} ->
-          send(self(), :reset_password)
-          {:ok, user}
-        end do
-        conn
-        |> LegacyAuthenticationPlug.call(%{})
+      with_mocks([
+        {:crypt, [], [crypt: fn _password, password_hash -> password_hash end]},
+        {User, [],
+         [
+           reset_password: fn user, %{password: password, password_confirmation: password} ->
+             {:ok, user}
+           end
+         ]}
+      ]) do
+        LegacyAuthenticationPlug.call(conn, %{})
       end
 
-    assert_received :reset_password
     assert conn.assigns.user == user
   end
 
diff --git a/test/plugs/oauth_scopes_plug_test.exs b/test/plugs/oauth_scopes_plug_test.exs
new file mode 100644
index 000000000..f328026df
--- /dev/null
+++ b/test/plugs/oauth_scopes_plug_test.exs
@@ -0,0 +1,122 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Plugs.OAuthScopesPlugTest do
+  use Pleroma.Web.ConnCase, async: true
+
+  alias Pleroma.Plugs.OAuthScopesPlug
+  alias Pleroma.Repo
+
+  import Pleroma.Factory
+
+  test "proceeds with no op if `assigns[:token]` is nil", %{conn: conn} do
+    conn =
+      conn
+      |> assign(:user, insert(:user))
+      |> OAuthScopesPlug.call(%{scopes: ["read"]})
+
+    refute conn.halted
+    assert conn.assigns[:user]
+  end
+
+  test "proceeds with no op if `token.scopes` fulfill specified 'any of' conditions", %{
+    conn: conn
+  } do
+    token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
+
+    conn =
+      conn
+      |> assign(:user, token.user)
+      |> assign(:token, token)
+      |> OAuthScopesPlug.call(%{scopes: ["read"]})
+
+    refute conn.halted
+    assert conn.assigns[:user]
+  end
+
+  test "proceeds with no op if `token.scopes` fulfill specified 'all of' conditions", %{
+    conn: conn
+  } do
+    token = insert(:oauth_token, scopes: ["scope1", "scope2", "scope3"]) |> Repo.preload(:user)
+
+    conn =
+      conn
+      |> assign(:user, token.user)
+      |> assign(:token, token)
+      |> OAuthScopesPlug.call(%{scopes: ["scope2", "scope3"], op: :&})
+
+    refute conn.halted
+    assert conn.assigns[:user]
+  end
+
+  test "proceeds with cleared `assigns[:user]` if `token.scopes` doesn't fulfill specified 'any of' conditions " <>
+         "and `fallback: :proceed_unauthenticated` option is specified",
+       %{conn: conn} do
+    token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
+
+    conn =
+      conn
+      |> assign(:user, token.user)
+      |> assign(:token, token)
+      |> OAuthScopesPlug.call(%{scopes: ["follow"], fallback: :proceed_unauthenticated})
+
+    refute conn.halted
+    refute conn.assigns[:user]
+  end
+
+  test "proceeds with cleared `assigns[:user]` if `token.scopes` doesn't fulfill specified 'all of' conditions " <>
+         "and `fallback: :proceed_unauthenticated` option is specified",
+       %{conn: conn} do
+    token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
+
+    conn =
+      conn
+      |> assign(:user, token.user)
+      |> assign(:token, token)
+      |> OAuthScopesPlug.call(%{
+        scopes: ["read", "follow"],
+        op: :&,
+        fallback: :proceed_unauthenticated
+      })
+
+    refute conn.halted
+    refute conn.assigns[:user]
+  end
+
+  test "returns 403 and halts in case of no :fallback option and `token.scopes` not fulfilling specified 'any of' conditions",
+       %{conn: conn} do
+    token = insert(:oauth_token, scopes: ["read", "write"])
+    any_of_scopes = ["follow"]
+
+    conn =
+      conn
+      |> assign(:token, token)
+      |> OAuthScopesPlug.call(%{scopes: any_of_scopes})
+
+    assert conn.halted
+    assert 403 == conn.status
+
+    expected_error = "Insufficient permissions: #{Enum.join(any_of_scopes, ", ")}."
+    assert Jason.encode!(%{error: expected_error}) == conn.resp_body
+  end
+
+  test "returns 403 and halts in case of no :fallback option and `token.scopes` not fulfilling specified 'all of' conditions",
+       %{conn: conn} do
+    token = insert(:oauth_token, scopes: ["read", "write"])
+    all_of_scopes = ["write", "follow"]
+
+    conn =
+      conn
+      |> assign(:token, token)
+      |> OAuthScopesPlug.call(%{scopes: all_of_scopes, op: :&})
+
+    assert conn.halted
+    assert 403 == conn.status
+
+    expected_error =
+      "Insufficient permissions: #{Enum.join(all_of_scopes -- token.scopes, ", ")}."
+
+    assert Jason.encode!(%{error: expected_error}) == conn.resp_body
+  end
+end
diff --git a/test/plugs/uploaded_media_plug_test.exs b/test/plugs/uploaded_media_plug_test.exs
new file mode 100644
index 000000000..49cf5396a
--- /dev/null
+++ b/test/plugs/uploaded_media_plug_test.exs
@@ -0,0 +1,43 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Web.UploadedMediaPlugTest do
+  use Pleroma.Web.ConnCase
+  alias Pleroma.Upload
+
+  defp upload_file(context) do
+    Pleroma.DataCase.ensure_local_uploader(context)
+    File.cp!("test/fixtures/image.jpg", "test/fixtures/image_tmp.jpg")
+
+    file = %Plug.Upload{
+      content_type: "image/jpg",
+      path: Path.absname("test/fixtures/image_tmp.jpg"),
+      filename: "nice_tf.jpg"
+    }
+
+    {:ok, data} = Upload.store(file)
+    [%{"href" => attachment_url} | _] = data["url"]
+    [attachment_url: attachment_url]
+  end
+
+  setup_all :upload_file
+
+  test "does not send Content-Disposition header when name param is not set", %{
+    attachment_url: attachment_url
+  } do
+    conn = get(build_conn(), attachment_url)
+    refute Enum.any?(conn.resp_headers, &(elem(&1, 0) == "content-disposition"))
+  end
+
+  test "sends Content-Disposition header when name param is set", %{
+    attachment_url: attachment_url
+  } do
+    conn = get(build_conn(), attachment_url <> "?name=\"cofe\".gif")
+
+    assert Enum.any?(
+             conn.resp_headers,
+             &(&1 == {"content-disposition", "filename=\"\\\"cofe\\\".gif\""})
+           )
+  end
+end