MediaController: enforced owner-only access in :show action.

[akkoma] / test / web / mastodon_api / controllers / media_controller_test.exs

diff --git a/test/web/mastodon_api/controllers/media_controller_test.exs b/test/web/mastodon_api/controllers/media_controller_test.exs
index 042511ca4593e97c7703e520b998afb42e93126d..906fd940f7c1c6ad09f8359d58c8ad915278d391 100644 (file)
--- a/test/web/mastodon_api/controllers/media_controller_test.exs
+++ b/test/web/mastodon_api/controllers/media_controller_test.exs
@@ -1,5 +1,5 @@
 # Pleroma: A lightweight social networking server
-# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
+# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
 # SPDX-License-Identifier: AGPL-3.0-only
 
 defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do
@@ -9,9 +9,9 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do
   alias Pleroma.User
   alias Pleroma.Web.ActivityPub.ActivityPub
 
-  setup do: oauth_access(["write:media"])
+  describe "Upload media" do
+    setup do: oauth_access(["write:media"])
 
-  describe "media upload" do
     setup do
       image = %Plug.Upload{
         content_type: "image/jpg",
@@ -22,16 +22,17 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do
       [image: image]
     end
 
-    clear_config([:media_proxy])
-    clear_config([Pleroma.Upload])
+    setup do: clear_config([:media_proxy])
+    setup do: clear_config([Pleroma.Upload])
 
-    test "returns uploaded image", %{conn: conn, image: image} do
+    test "/api/v1/media", %{conn: conn, image: image} do
       desc = "Description of the image"
 
       media =
         conn
+        |> put_req_header("content-type", "multipart/form-data")
         |> post("/api/v1/media", %{"file" => image, "description" => desc})
-        |> json_response(:ok)
+        |> json_response_and_validate_schema(:ok)
 
       assert media["type"] == "image"
       assert media["description"] == desc
@@ -40,9 +41,37 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do
       object = Object.get_by_id(media["id"])
       assert object.data["actor"] == User.ap_id(conn.assigns[:user])
     end
+
+    test "/api/v2/media", %{conn: conn, user: user, image: image} do
+      desc = "Description of the image"
+
+      response =
+        conn
+        |> put_req_header("content-type", "multipart/form-data")
+        |> post("/api/v2/media", %{"file" => image, "description" => desc})
+        |> json_response_and_validate_schema(202)
+
+      assert media_id = response["id"]
+
+      %{conn: conn} = oauth_access(["read:media"], user: user)
+
+      media =
+        conn
+        |> get("/api/v1/media/#{media_id}")
+        |> json_response_and_validate_schema(200)
+
+      assert media["type"] == "image"
+      assert media["description"] == desc
+      assert media["id"]
+
+      object = Object.get_by_id(media["id"])
+      assert object.data["actor"] == user.ap_id
+    end
   end
 
-  describe "PUT /api/v1/media/:id" do
+  describe "Update media description" do
+    setup do: oauth_access(["write:media"])
+
     setup %{user: actor} do
       file = %Plug.Upload{
         content_type: "image/jpg",
@@ -60,23 +89,58 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do
       [object: object]
     end
 
-    test "updates name of media", %{conn: conn, object: object} do
+    test "/api/v1/media/:id good request", %{conn: conn, object: object} do
       media =
         conn
+        |> put_req_header("content-type", "multipart/form-data")
         |> put("/api/v1/media/#{object.id}", %{"description" => "test-media"})
-        |> json_response(:ok)
+        |> json_response_and_validate_schema(:ok)
 
       assert media["description"] == "test-media"
       assert refresh_record(object).data["name"] == "test-media"
     end
+  end
+
+  describe "Get media by id (/api/v1/media/:id)" do
+    setup do: oauth_access(["read:media"])
+
+    setup %{user: actor} do
+      file = %Plug.Upload{
+        content_type: "image/jpg",
+        path: Path.absname("test/fixtures/image.jpg"),
+        filename: "an_image.jpg"
+      }
+
+      {:ok, %Object{} = object} =
+        ActivityPub.upload(
+          file,
+          actor: User.ap_id(actor),
+          description: "test-media"
+        )
+
+      [object: object]
+    end
 
-    test "returns error when request is bad", %{conn: conn, object: object} do
+    test "it returns media object when requested by owner", %{conn: conn, object: object} do
       media =
         conn
-        |> put("/api/v1/media/#{object.id}", %{})
-        |> json_response(400)
+        |> get("/api/v1/media/#{object.id}")
+        |> json_response_and_validate_schema(:ok)
+
+      assert media["description"] == "test-media"
+      assert media["type"] == "image"
+      assert media["id"]
+    end
+
+    test "it returns 403 if media object requested by non-owner", %{object: object, user: user} do
+      %{conn: conn, user: other_user} = oauth_access(["read:media"])
+
+      assert object.data["actor"] == user.ap_id
+      refute user.id == other_user.id
 
-      assert media == %{"error" => "bad_request"}
+      conn
+      |> get("/api/v1/media/#{object.id}")
+      |> json_response(403)
     end
   end
 end