git.squeep.com Git - akkoma/blob - test/plugs/user_is_admin_plug_test.exs

   1 # Pleroma: A lightweight social networking server
   2 # Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
   3 # SPDX-License-Identifier: AGPL-3.0-only
   4
   5 defmodule Pleroma.Plugs.UserIsAdminPlugTest do
   6   use Pleroma.Web.ConnCase, async: true
   7
   8   alias Pleroma.Plugs.UserIsAdminPlug
   9   import Pleroma.Factory
  10
  11   describe "unless [:auth, :enforce_oauth_admin_scope_usage]," do
  12     clear_config([:auth, :enforce_oauth_admin_scope_usage]) do
  13       Pleroma.Config.put([:auth, :enforce_oauth_admin_scope_usage], false)
  14     end
  15
  16     test "accepts a user that is admin" do
  17       user = insert(:user, is_admin: true)
  18
  19       conn = assign(build_conn(), :user, user)
  20
  21       ret_conn = UserIsAdminPlug.call(conn, %{})
  22
  23       assert conn == ret_conn
  24     end
  25
  26     test "denies a user that isn't admin" do
  27       user = insert(:user)
  28
  29       conn =
  30         build_conn()
  31         |> assign(:user, user)
  32         |> UserIsAdminPlug.call(%{})
  33
  34       assert conn.status == 403
  35     end
  36
  37     test "denies when a user isn't set" do
  38       conn = UserIsAdminPlug.call(build_conn(), %{})
  39
  40       assert conn.status == 403
  41     end
  42   end
  43
  44   describe "with [:auth, :enforce_oauth_admin_scope_usage]," do
  45     clear_config([:auth, :enforce_oauth_admin_scope_usage]) do
  46       Pleroma.Config.put([:auth, :enforce_oauth_admin_scope_usage], true)
  47     end
  48
  49     setup do
  50       admin_user = insert(:user, is_admin: true)
  51       non_admin_user = insert(:user, is_admin: false)
  52       blank_user = nil
  53
  54       {:ok, %{users: [admin_user, non_admin_user, blank_user]}}
  55     end
  56
  57     # Note: in real-life scenarios only users with is_admin flag can possess admin-scoped tokens;
  58     #   however, the following test stresses out that is_admin flag is not checked if we got token
  59     test "if token has any of admin scopes, accepts users regardless of is_admin flag",
  60          %{users: users} do
  61       for user <- users do
  62         token = insert(:oauth_token, user: user, scopes: ["admin:something"])
  63
  64         conn =
  65           build_conn()
  66           |> assign(:user, user)
  67           |> assign(:token, token)
  68           |> UserIsAdminPlug.call(%{})
  69
  70         ret_conn = UserIsAdminPlug.call(conn, %{})
  71
  72         assert conn == ret_conn
  73       end
  74     end
  75
  76     test "if token lacks admin scopes, denies users regardless of is_admin flag",
  77          %{users: users} do
  78       for user <- users do
  79         token = insert(:oauth_token, user: user)
  80
  81         conn =
  82           build_conn()
  83           |> assign(:user, user)
  84           |> assign(:token, token)
  85           |> UserIsAdminPlug.call(%{})
  86
  87         assert conn.status == 403
  88       end
  89     end
  90
  91     test "if token is missing, denies users regardless of is_admin flag", %{users: users} do
  92       for user <- users do
  93         conn =
  94           build_conn()
  95           |> assign(:user, user)
  96           |> assign(:token, nil)
  97           |> UserIsAdminPlug.call(%{})
  98
  99         assert conn.status == 403
 100       end
 101     end
 102   end
 103 end