From af9dfdce6b502d3a33db7a496879dda56719f56e Mon Sep 17 00:00:00 2001 From: Ivan Tashkinov Date: Sun, 17 May 2020 08:46:43 +0300 Subject: MediaController OAuth scope assignments fix. Typo fix (`def get_media` instead of `def show`). --- .../web/mastodon_api/controllers/media_controller_test.exs | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) (limited to 'test/web/mastodon_api/controllers') diff --git a/test/web/mastodon_api/controllers/media_controller_test.exs b/test/web/mastodon_api/controllers/media_controller_test.exs index 7ba1727f2..98ec239b1 100644 --- a/test/web/mastodon_api/controllers/media_controller_test.exs +++ b/test/web/mastodon_api/controllers/media_controller_test.exs @@ -9,9 +9,9 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do alias Pleroma.User alias Pleroma.Web.ActivityPub.ActivityPub - setup do: oauth_access(["write:media"]) - describe "Upload media" do + setup do: oauth_access(["write:media"]) + setup do image = %Plug.Upload{ content_type: "image/jpg", @@ -42,7 +42,7 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do assert object.data["actor"] == User.ap_id(conn.assigns[:user]) end - test "/api/v2/media", %{conn: conn, image: image} do + test "/api/v2/media", %{conn: conn, user: user, image: image} do desc = "Description of the image" response = @@ -53,6 +53,8 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do assert media_id = response["id"] + %{conn: conn} = oauth_access(["read:media"], user: user) + media = conn |> get("/api/v1/media/#{media_id}") @@ -62,11 +64,15 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do assert media["description"] == desc assert media["id"] object = Object.get_by_id(media["id"]) + + # TODO: clarify: if this EP allows access to non-owned objects, the following may be false: assert object.data["actor"] == User.ap_id(conn.assigns[:user]) end end describe "Update media description" do + setup do: oauth_access(["write:media"]) + setup %{user: actor} do file = %Plug.Upload{ content_type: "image/jpg", @@ -97,6 +103,8 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do end describe "Get media by id" do + setup do: oauth_access(["read:media"]) + setup %{user: actor} do file = %Plug.Upload{ content_type: "image/jpg", -- cgit v1.2.3 From 9b765652649f8b6110bd70aa90b148a90057ff6a Mon Sep 17 00:00:00 2001 From: Ivan Tashkinov Date: Mon, 18 May 2020 09:51:53 +0300 Subject: MediaController: enforced owner-only access in :show action. Improved error response on denied access (now 403). Adjusted tests. --- .../controllers/media_controller_test.exs | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) (limited to 'test/web/mastodon_api/controllers') diff --git a/test/web/mastodon_api/controllers/media_controller_test.exs b/test/web/mastodon_api/controllers/media_controller_test.exs index 98ec239b1..906fd940f 100644 --- a/test/web/mastodon_api/controllers/media_controller_test.exs +++ b/test/web/mastodon_api/controllers/media_controller_test.exs @@ -63,10 +63,9 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do assert media["type"] == "image" assert media["description"] == desc assert media["id"] - object = Object.get_by_id(media["id"]) - # TODO: clarify: if this EP allows access to non-owned objects, the following may be false: - assert object.data["actor"] == User.ap_id(conn.assigns[:user]) + object = Object.get_by_id(media["id"]) + assert object.data["actor"] == user.ap_id end end @@ -102,7 +101,7 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do end end - describe "Get media by id" do + describe "Get media by id (/api/v1/media/:id)" do setup do: oauth_access(["read:media"]) setup %{user: actor} do @@ -122,7 +121,7 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do [object: object] end - test "/api/v1/media/:id", %{conn: conn, object: object} do + test "it returns media object when requested by owner", %{conn: conn, object: object} do media = conn |> get("/api/v1/media/#{object.id}") @@ -132,5 +131,16 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do assert media["type"] == "image" assert media["id"] end + + test "it returns 403 if media object requested by non-owner", %{object: object, user: user} do + %{conn: conn, user: other_user} = oauth_access(["read:media"]) + + assert object.data["actor"] == user.ap_id + refute user.id == other_user.id + + conn + |> get("/api/v1/media/#{object.id}") + |> json_response(403) + end end end -- cgit v1.2.3