assert media["type"] == "image"
assert media["description"] == desc
assert media["id"]
- object = Object.get_by_id(media["id"])
- # TODO: clarify: if this EP allows access to non-owned objects, the following may be false:
- assert object.data["actor"] == User.ap_id(conn.assigns[:user])
+ object = Object.get_by_id(media["id"])
+ assert object.data["actor"] == user.ap_id
end
end
end
end
- describe "Get media by id" do
+ describe "Get media by id (/api/v1/media/:id)" do
setup do: oauth_access(["read:media"])
setup %{user: actor} do
[object: object]
end
- test "/api/v1/media/:id", %{conn: conn, object: object} do
+ test "it returns media object when requested by owner", %{conn: conn, object: object} do
media =
conn
|> get("/api/v1/media/#{object.id}")
assert media["type"] == "image"
assert media["id"]
end
+
+ test "it returns 403 if media object requested by non-owner", %{object: object, user: user} do
+ %{conn: conn, user: other_user} = oauth_access(["read:media"])
+
+ assert object.data["actor"] == user.ap_id
+ refute user.id == other_user.id
+
+ conn
+ |> get("/api/v1/media/#{object.id}")
+ |> json_response(403)
+ end
end
end
projects / akkoma / blobdiff