git.squeep.com Git - akkoma/blob - test/plugs/user_is_admin_plug_test.exs

   1 # Pleroma: A lightweight social networking server
   2 # Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
   3 # SPDX-License-Identifier: AGPL-3.0-only
   4
   5 defmodule Pleroma.Plugs.UserIsAdminPlugTest do
   6   use Pleroma.Web.ConnCase, async: true
   7
   8   alias Pleroma.Plugs.UserIsAdminPlug
   9   import Pleroma.Factory
  10
  11   describe "unless [:auth, :enforce_oauth_admin_scope_usage]," do
  12     setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], false)
  13
  14     test "accepts a user that is an admin" do
  15       user = insert(:user, is_admin: true)
  16
  17       conn = assign(build_conn(), :user, user)
  18
  19       ret_conn = UserIsAdminPlug.call(conn, %{})
  20
  21       assert conn == ret_conn
  22     end
  23
  24     test "denies a user that isn't an admin" do
  25       user = insert(:user)
  26
  27       conn =
  28         build_conn()
  29         |> assign(:user, user)
  30         |> UserIsAdminPlug.call(%{})
  31
  32       assert conn.status == 403
  33     end
  34
  35     test "denies when a user isn't set" do
  36       conn = UserIsAdminPlug.call(build_conn(), %{})
  37
  38       assert conn.status == 403
  39     end
  40   end
  41
  42   describe "with [:auth, :enforce_oauth_admin_scope_usage]," do
  43     setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], true)
  44
  45     setup do
  46       admin_user = insert(:user, is_admin: true)
  47       non_admin_user = insert(:user, is_admin: false)
  48       blank_user = nil
  49
  50       {:ok, %{users: [admin_user, non_admin_user, blank_user]}}
  51     end
  52
  53     test "if token has any of admin scopes, accepts a user that is an admin", %{conn: conn} do
  54       user = insert(:user, is_admin: true)
  55       token = insert(:oauth_token, user: user, scopes: ["admin:something"])
  56
  57       conn =
  58         conn
  59         |> assign(:user, user)
  60         |> assign(:token, token)
  61
  62       ret_conn = UserIsAdminPlug.call(conn, %{})
  63
  64       assert conn == ret_conn
  65     end
  66
  67     test "if token has any of admin scopes, denies a user that isn't an admin", %{conn: conn} do
  68       user = insert(:user, is_admin: false)
  69       token = insert(:oauth_token, user: user, scopes: ["admin:something"])
  70
  71       conn =
  72         conn
  73         |> assign(:user, user)
  74         |> assign(:token, token)
  75         |> UserIsAdminPlug.call(%{})
  76
  77       assert conn.status == 403
  78     end
  79
  80     test "if token has any of admin scopes, denies when a user isn't set", %{conn: conn} do
  81       token = insert(:oauth_token, scopes: ["admin:something"])
  82
  83       conn =
  84         conn
  85         |> assign(:user, nil)
  86         |> assign(:token, token)
  87         |> UserIsAdminPlug.call(%{})
  88
  89       assert conn.status == 403
  90     end
  91
  92     test "if token lacks admin scopes, denies users regardless of is_admin flag",
  93          %{users: users} do
  94       for user <- users do
  95         token = insert(:oauth_token, user: user)
  96
  97         conn =
  98           build_conn()
  99           |> assign(:user, user)
 100           |> assign(:token, token)
 101           |> UserIsAdminPlug.call(%{})
 102
 103         assert conn.status == 403
 104       end
 105     end
 106
 107     test "if token is missing, denies users regardless of is_admin flag", %{users: users} do
 108       for user <- users do
 109         conn =
 110           build_conn()
 111           |> assign(:user, user)
 112           |> assign(:token, nil)
 113           |> UserIsAdminPlug.call(%{})
 114
 115         assert conn.status == 403
 116       end
 117     end
 118   end
 119 end