diff options
Diffstat (limited to 'test/web/twitter_api')
| -rw-r--r-- | test/web/twitter_api/twitter_api_controller_test.exs | 34 | ||||
| -rw-r--r-- | test/web/twitter_api/util_controller_test.exs | 19 |
2 files changed, 53 insertions, 0 deletions
diff --git a/test/web/twitter_api/twitter_api_controller_test.exs b/test/web/twitter_api/twitter_api_controller_test.exs index 1571ab68e..05a832967 100644 --- a/test/web/twitter_api/twitter_api_controller_test.exs +++ b/test/web/twitter_api/twitter_api_controller_test.exs @@ -14,6 +14,7 @@ defmodule Pleroma.Web.TwitterAPI.ControllerTest do alias Pleroma.Notification alias Pleroma.Web.ActivityPub.ActivityPub alias Pleroma.Web.OAuth.Token + alias Pleroma.Web.TwitterAPI.Controller alias Pleroma.Web.TwitterAPI.UserView alias Pleroma.Web.TwitterAPI.NotificationView alias Pleroma.Web.CommonAPI @@ -22,6 +23,7 @@ defmodule Pleroma.Web.TwitterAPI.ControllerTest do alias Ecto.Changeset import Pleroma.Factory + import Mock @banner "data:image/gif;base64,R0lGODlhEAAQAMQAAORHHOVSKudfOulrSOp3WOyDZu6QdvCchPGolfO0o/XBs/fNwfjZ0frl3/zy7////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAkAABAALAAAAAAQABAAAAVVICSOZGlCQAosJ6mu7fiyZeKqNKToQGDsM8hBADgUXoGAiqhSvp5QAnQKGIgUhwFUYLCVDFCrKUE1lBavAViFIDlTImbKC5Gm2hB0SlBCBMQiB0UjIQA7" @@ -187,6 +189,20 @@ defmodule Pleroma.Web.TwitterAPI.ControllerTest do |> get("/api/statuses/public_timeline.json") |> json_response(200) end + + test_with_mock "treats user as unauthenticated if `assigns[:token]` is present but lacks `read` permission", + Controller, + [:passthrough], + [] do + token = insert(:oauth_token, scopes: ["write"]) + + build_conn() + |> put_req_header("authorization", "Bearer #{token.token}") + |> get("/api/statuses/public_timeline.json") + |> json_response(200) + + assert called(Controller.public_timeline(%{assigns: %{user: nil}}, :_)) + end end describe "GET /statuses/public_and_external_timeline.json" do @@ -1690,6 +1706,24 @@ defmodule Pleroma.Web.TwitterAPI.ControllerTest do assert [relationship] = json_response(conn, 200) assert other_user.id == relationship["id"] end + + test "requires 'read' permission", %{conn: conn} do + token1 = insert(:oauth_token, scopes: ["write"]) + token2 = insert(:oauth_token, scopes: ["read"]) + + for token <- [token1, token2] do + conn = + conn + |> put_req_header("authorization", "Bearer #{token.token}") + |> get("/api/pleroma/friend_requests") + + if token == token1 do + assert %{"error" => "Insufficient permissions: read."} == json_response(conn, 403) + else + assert json_response(conn, 200) + end + end + end end describe "POST /api/pleroma/friendships/approve" do diff --git a/test/web/twitter_api/util_controller_test.exs b/test/web/twitter_api/util_controller_test.exs index 007d7d8e6..fc762ab18 100644 --- a/test/web/twitter_api/util_controller_test.exs +++ b/test/web/twitter_api/util_controller_test.exs @@ -16,6 +16,25 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do assert response == "job started" end + + test "requires 'follow' permission", %{conn: conn} do + token1 = insert(:oauth_token, scopes: ["read", "write"]) + token2 = insert(:oauth_token, scopes: ["follow"]) + another_user = insert(:user) + + for token <- [token1, token2] do + conn = + conn + |> put_req_header("authorization", "Bearer #{token.token}") + |> post("/api/pleroma/follow_import", %{"list" => "#{another_user.ap_id}"}) + + if token == token1 do + assert %{"error" => "Insufficient permissions: follow."} == json_response(conn, 403) + else + assert json_response(conn, 200) + end + end + end end describe "POST /api/pleroma/blocks_import" do |