- # Note: in real-life scenarios only users with is_admin flag can possess admin-scoped tokens;
- # however, the following test stresses out that is_admin flag is not checked if we got token
- test "if token has any of admin scopes, accepts users regardless of is_admin flag",
- %{users: users} do
- for user <- users do
- token = insert(:oauth_token, user: user, scopes: ["admin:something"])
-
- conn =
- build_conn()
- |> assign(:user, user)
- |> assign(:token, token)
- |> UserIsAdminPlug.call(%{})
-
- ret_conn = UserIsAdminPlug.call(conn, %{})
-
- assert conn == ret_conn
- end
- end
-
- test "if token lacks admin scopes, denies users regardless of is_admin flag",
- %{users: users} do
- for user <- users do
- token = insert(:oauth_token, user: user)
-
- conn =
- build_conn()
- |> assign(:user, user)
- |> assign(:token, token)
- |> UserIsAdminPlug.call(%{})
-
- assert conn.status == 403
- end
- end