1 files changed, 38 insertions, 8 deletions

diff --git a/test/pleroma/web/admin_api/controllers/admin_api_controller_test.exs b/test/pleroma/web/admin_api/controllers/admin_api_controller_test.exs
index d83f7f011..b9b3aed3b 100644
--- a/test/pleroma/web/admin_api/controllers/admin_api_controller_test.exs
+++ b/test/pleroma/web/admin_api/controllers/admin_api_controller_test.exs
@@ -271,17 +271,32 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
     end
   end
 
-  test "/api/pleroma/admin/users/:nickname/password_reset", %{conn: conn} do
-    user = insert(:user)
+  describe "/api/pleroma/admin/users/:nickname/password_reset" do
+    test "it returns a password reset link", %{conn: conn} do
+      clear_config([:instance, :admin_privileges], [:user_credentials])
 
-    conn =
-      conn
-      |> put_req_header("accept", "application/json")
-      |> get("/api/pleroma/admin/users/#{user.nickname}/password_reset")
+      user = insert(:user)
+
+      conn =
+        conn
+        |> put_req_header("accept", "application/json")
+        |> get("/api/pleroma/admin/users/#{user.nickname}/password_reset")
+
+      resp = json_response(conn, 200)
+
+      assert Regex.match?(~r/(http:\/\/|https:\/\/)/, resp["link"])
+    end
 
-    resp = json_response(conn, 200)
+    test "it requires privileged role :user_credentials", %{conn: conn} do
+      clear_config([:instance, :admin_privileges], [])
+
+      response =
+        conn
+        |> put_req_header("accept", "application/json")
+        |> get("/api/pleroma/admin/users/nickname/password_reset")
 
-    assert Regex.match?(~r/(http:\/\/|https:\/\/)/, resp["link"])
+      assert json_response(response, :forbidden)
+    end
   end
 
   describe "PUT disable_mfa" do
@@ -714,6 +729,8 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
     end
 
     test "changes password and email", %{conn: conn, admin: admin, user: user} do
+      clear_config([:instance, :admin_privileges], [:user_credentials])
+
       assert user.password_reset_pending == false
 
       conn =
@@ -756,6 +773,19 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
       assert json_response(conn, :forbidden)
     end
 
+    test "returns 403 if not privileged with :user_credentials", %{conn: conn, user: user} do
+      clear_config([:instance, :admin_privileges], [])
+
+      conn =
+        patch(conn, "/api/pleroma/admin/users/#{user.nickname}/credentials", %{
+          "password" => "new_password",
+          "email" => "new_email@example.com",
+          "name" => "new_name"
+        })
+
+      assert json_response(conn, :forbidden)
+    end
+
     test "changes actor type from permitted list", %{conn: conn, user: user} do
       assert user.actor_type == "Person"