1 # Pleroma: A lightweight social networking server
2 # Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
3 # SPDX-License-Identifier: AGPL-3.0-only
5 defmodule Pleroma.Plugs.UserIsAdminPlugTest do
6 use Pleroma.Web.ConnCase, async: true
8 alias Pleroma.Plugs.UserIsAdminPlug
11 describe "unless [:auth, :enforce_oauth_admin_scope_usage]," do
12 clear_config([:auth, :enforce_oauth_admin_scope_usage]) do
13 Pleroma.Config.put([:auth, :enforce_oauth_admin_scope_usage], false)
16 test "accepts a user that is admin" do
17 user = insert(:user, is_admin: true)
19 conn = assign(build_conn(), :user, user)
21 ret_conn = UserIsAdminPlug.call(conn, %{})
23 assert conn == ret_conn
26 test "denies a user that isn't admin" do
31 |> assign(:user, user)
32 |> UserIsAdminPlug.call(%{})
34 assert conn.status == 403
37 test "denies when a user isn't set" do
38 conn = UserIsAdminPlug.call(build_conn(), %{})
40 assert conn.status == 403
44 describe "with [:auth, :enforce_oauth_admin_scope_usage]," do
45 clear_config([:auth, :enforce_oauth_admin_scope_usage]) do
46 Pleroma.Config.put([:auth, :enforce_oauth_admin_scope_usage], true)
50 admin_user = insert(:user, is_admin: true)
51 non_admin_user = insert(:user, is_admin: false)
54 {:ok, %{users: [admin_user, non_admin_user, blank_user]}}
57 # Note: in real-life scenarios only users with is_admin flag can possess admin-scoped tokens;
58 # however, the following test stresses out that is_admin flag is not checked if we got token
59 test "if token has any of admin scopes, accepts users regardless of is_admin flag",
62 token = insert(:oauth_token, user: user, scopes: ["admin:something"])
66 |> assign(:user, user)
67 |> assign(:token, token)
68 |> UserIsAdminPlug.call(%{})
70 ret_conn = UserIsAdminPlug.call(conn, %{})
72 assert conn == ret_conn
76 test "if token lacks admin scopes, denies users regardless of is_admin flag",
79 token = insert(:oauth_token, user: user)
83 |> assign(:user, user)
84 |> assign(:token, token)
85 |> UserIsAdminPlug.call(%{})
87 assert conn.status == 403
91 test "if token is missing, denies users regardless of is_admin flag", %{users: users} do
95 |> assign(:user, user)
96 |> assign(:token, nil)
97 |> UserIsAdminPlug.call(%{})
99 assert conn.status == 403