Merge branch 'develop' of https://git.pleroma.social/pleroma/pleroma into develop

[akkoma] / test / web / oauth / oauth_controller_test.exs

diff --git a/test/web/oauth/oauth_controller_test.exs b/test/web/oauth/oauth_controller_test.exs
index 901f2ae414bda6e3a56e21ba240d7ab36a07baf1..59f4674eb56bae181d6e20de6154960b51908f37 100644 (file)
--- a/test/web/oauth/oauth_controller_test.exs
+++ b/test/web/oauth/oauth_controller_test.exs
@@ -450,7 +450,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
 
     test "renders authentication page if user is already authenticated but `force_login` is tru-ish",
          %{app: app, conn: conn} do
-      token = insert(:oauth_token, app_id: app.id)
+      token = insert(:oauth_token, app: app)
 
       conn =
         conn
@@ -474,7 +474,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
            app: app,
            conn: conn
          } do
-      token = insert(:oauth_token, app_id: app.id)
+      token = insert(:oauth_token, app: app)
 
       conn =
         conn
@@ -497,7 +497,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
            app: app,
            conn: conn
          } do
-      token = insert(:oauth_token, app_id: app.id)
+      token = insert(:oauth_token, app: app)
 
       conn =
         conn
@@ -523,7 +523,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
            conn: conn
          } do
       unlisted_redirect_uri = "http://cross-site-request.com"
-      token = insert(:oauth_token, app_id: app.id)
+      token = insert(:oauth_token, app: app)
 
       conn =
         conn
@@ -547,7 +547,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
            app: app,
            conn: conn
          } do
-      token = insert(:oauth_token, app_id: app.id)
+      token = insert(:oauth_token, app: app)
 
       conn =
         conn
@@ -568,29 +568,34 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
 
   describe "POST /oauth/authorize" do
     test "redirects with oauth authorization, " <>
-           "keeping only non-admin scopes for non-admin user" do
-      app = insert(:oauth_app, scopes: ["read", "write", "admin"])
+           "granting requested app-supported scopes to both admin- and non-admin users" do
+      app_scopes = ["read", "write", "admin", "secret_scope"]
+      app = insert(:oauth_app, scopes: app_scopes)
       redirect_uri = OAuthController.default_redirect_uri(app)
 
       non_admin = insert(:user, is_admin: false)
       admin = insert(:user, is_admin: true)
+      scopes_subset = ["read:subscope", "write", "admin"]
 
-      for {user, expected_scopes} <- %{
-            non_admin => ["read:subscope", "write"],
-            admin => ["read:subscope", "write", "admin"]
-          } do
+      # In case scope param is missing, expecting _all_ app-supported scopes to be granted
+      for user <- [non_admin, admin],
+          {requested_scopes, expected_scopes} <-
+            %{scopes_subset => scopes_subset, nil => app_scopes} do
         conn =
-          build_conn()
-          |> post("/oauth/authorize", %{
-            "authorization" => %{
-              "name" => user.nickname,
-              "password" => "test",
-              "client_id" => app.client_id,
-              "redirect_uri" => redirect_uri,
-              "scope" => "read:subscope write admin",
-              "state" => "statepassed"
+          post(
+            build_conn(),
+            "/oauth/authorize",
+            %{
+              "authorization" => %{
+                "name" => user.nickname,
+                "password" => "test",
+                "client_id" => app.client_id,
+                "redirect_uri" => redirect_uri,
+                "scope" => requested_scopes,
+                "state" => "statepassed"
+              }
             }
-          })
+          )
 
         target = redirected_to(conn)
         assert target =~ redirect_uri
@@ -631,34 +636,31 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
       assert result =~ "Invalid Username/Password"
     end
 
-    test "returns 401 for missing scopes " <>
-           "(including all admin-only scopes for non-admin user)" do
+    test "returns 401 for missing scopes" do
       user = insert(:user, is_admin: false)
       app = insert(:oauth_app, scopes: ["read", "write", "admin"])
       redirect_uri = OAuthController.default_redirect_uri(app)
 
-      for scope_param <- ["", "admin:read admin:write"] do
-        result =
-          build_conn()
-          |> post("/oauth/authorize", %{
-            "authorization" => %{
-              "name" => user.nickname,
-              "password" => "test",
-              "client_id" => app.client_id,
-              "redirect_uri" => redirect_uri,
-              "state" => "statepassed",
-              "scope" => scope_param
-            }
-          })
-          |> html_response(:unauthorized)
+      result =
+        build_conn()
+        |> post("/oauth/authorize", %{
+          "authorization" => %{
+            "name" => user.nickname,
+            "password" => "test",
+            "client_id" => app.client_id,
+            "redirect_uri" => redirect_uri,
+            "state" => "statepassed",
+            "scope" => ""
+          }
+        })
+        |> html_response(:unauthorized)
 
-        # Keep the details
-        assert result =~ app.client_id
-        assert result =~ redirect_uri
+      # Keep the details
+      assert result =~ app.client_id
+      assert result =~ redirect_uri
 
-        # Error message
-        assert result =~ "This action is outside the authorized scopes"
-      end
+      # Error message
+      assert result =~ "This action is outside the authorized scopes"
     end
 
     test "returns 401 for scopes beyond app scopes hierarchy", %{conn: conn} do