alias Pleroma.Notification
alias Pleroma.Web.ActivityPub.ActivityPub
alias Pleroma.Web.OAuth.Token
+ alias Pleroma.Web.TwitterAPI.Controller
alias Pleroma.Web.TwitterAPI.UserView
alias Pleroma.Web.TwitterAPI.NotificationView
alias Pleroma.Web.CommonAPI
alias Ecto.Changeset
import Pleroma.Factory
+ import Mock
@banner "data:image/gif;base64,R0lGODlhEAAQAMQAAORHHOVSKudfOulrSOp3WOyDZu6QdvCchPGolfO0o/XBs/fNwfjZ0frl3/zy7////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAkAABAALAAAAAAQABAAAAVVICSOZGlCQAosJ6mu7fiyZeKqNKToQGDsM8hBADgUXoGAiqhSvp5QAnQKGIgUhwFUYLCVDFCrKUE1lBavAViFIDlTImbKC5Gm2hB0SlBCBMQiB0UjIQA7"
|> get("/api/statuses/public_timeline.json")
|> json_response(200)
end
+
+ test_with_mock "treats user as unauthenticated if `assigns[:token]` is present but lacks `read` permission",
+ Controller,
+ [:passthrough],
+ [] do
+ token = insert(:oauth_token, scopes: ["write"])
+
+ build_conn()
+ |> put_req_header("authorization", "Bearer #{token.token}")
+ |> get("/api/statuses/public_timeline.json")
+ |> json_response(200)
+
+ assert called(Controller.public_timeline(%{assigns: %{user: nil}}, :_))
+ end
end
describe "GET /statuses/public_and_external_timeline.json" do
assert [relationship] = json_response(conn, 200)
assert other_user.id == relationship["id"]
end
+
+ test "requires 'read' permission", %{conn: conn} do
+ token1 = insert(:oauth_token, scopes: ["write"])
+ token2 = insert(:oauth_token, scopes: ["read"])
+
+ for token <- [token1, token2] do
+ conn =
+ conn
+ |> put_req_header("authorization", "Bearer #{token.token}")
+ |> get("/api/pleroma/friend_requests")
+
+ if token == token1 do
+ assert %{"error" => "Insufficient permissions: read."} == json_response(conn, 403)
+ else
+ assert json_response(conn, 200)
+ end
+ end
+ end
end
describe "POST /api/pleroma/friendships/approve" do
projects / akkoma / blobdiff