Merge branch 'develop' into feature/tag_feed

diff --combined CHANGELOG.md
index feb3f9b3c68a0a47a8d15d17cd57950a539ab959,39734830460c238dd70e685f1fa4cc92760bc7f9..e864cd88de473ab2a86ec70168f497f725e39823
--- 1/CHANGELOG.md
--- 2/CHANGELOG.md
+++ b/CHANGELOG.md
@@@ -7,8 -7,10 +7,10 @@@ The format is based on [Keep a Changelo
  ### Removed
  - **Breaking**: Removed 1.0+ deprecated configurations `Pleroma.Upload, :strip_exif` and `:instance, :dedupe_media`
  - **Breaking**: OStatus protocol support
+ - **Breaking**: MDII uploader
  
  ### Changed
+ - **Breaking:** attachments are removed along with statuses when there are no other references to it
  - **Breaking:** Elixir >=1.8 is now required (was >= 1.7)
  - **Breaking:** attachment links (`config :pleroma, :instance, no_attachment_links` and `config :pleroma, Pleroma.Upload, link_name`) disabled by default
  - Replaced [pleroma_job_queue](https://git.pleroma.social/pleroma/pleroma_job_queue) and `Pleroma.Web.Federator.RetryQueue` with [Oban](https://github.com/sorentwo/oban) (see [`docs/config.md`](docs/config.md) on migrating customized worker / retry settings)
@@@ -21,6 -23,7 +23,7 @@@
  - Deprecated `User.Info` embedded schema (fields moved to `User`)
  - Store status data inside Flag activity
  - Deprecated (reorganized as `UserRelationship` entity) User fields with user AP IDs (`blocks`, `mutes`, `muted_reblogs`, `muted_notifications`, `subscribers`).
+ - Logger: default log level changed from `warn` to `info`.
  <details>
    <summary>API Changes</summary>
  
@@@ -51,6 -54,7 +54,7 @@@
  - Support for `X-Forwarded-For` and similar HTTP headers which used by reverse proxies to pass a real user IP address to the backend. Must not be enabled unless your instance is behind at least one reverse proxy (such as Nginx, Apache HTTPD or Varnish Cache).
  - MRF: New module which handles incoming posts based on their age. By default, all incoming posts that are older than 2 days will be unlisted and not shown to their followers.
  - User notification settings: Add `privacy_option` option.
+ - Support for custom Elixir modules (such as MRF policies)
  - User settings: Add _This account is a_ option.
  - OAuth: admin scopes support (relevant setting: `[:auth, :enforce_oauth_admin_scope_usage]`).
  <details>
@@@ -86,8 -90,6 +90,8 @@@
  - Mastodon API: `/api/v1/update_credentials` accepts `actor_type` field.
  - Captcha: Support native provider
  - Captcha: Enable by default
 +- Configuration: `feed.logo` option for tag feed.
 +- Tag feed: `/tags/:tag.rss` - list public statuses by hashtag.
  </details>
  
  ### Fixed
@@@ -104,6 -106,7 +108,7 @@@
  - Mastodon API: Inability to get some local users by nickname in `/api/v1/accounts/:id_or_nickname`
  - AdminAPI: If some status received reports both in the "new" format and "old" format it was considered reports on two different statuses (in the context of grouped reports)
  - Admin API: Error when trying to update reports in the "old" format
+ - Mastodon API: Marking a conversation as read (`POST /api/v1/conversations/:id/read`) now no longer brings it to the top in the user's direct conversation list
  </details>
  
  ## [1.1.6] - 2019-11-19

diff --combined lib/pleroma/web/metadata/utils.ex
index c0dae1b7eb8e077e3b7035721f47dc60b1ade782,589d11901a0ceb91f50d5da672a909805c0c25ac..000bd9f66f5559a79c525596d9ebf9b4d6338ba1
--- 1/lib/pleroma/web/metadata/utils.ex
--- 2/lib/pleroma/web/metadata/utils.ex
+++ b/lib/pleroma/web/metadata/utils.ex
@@@ -15,26 -15,21 +15,28 @@@ defmodule Pleroma.Web.Metadata.Utils d
      |> String.replace(~r/<br\s?\/?>/, " ")
      |> HTML.get_cached_stripped_html_for_activity(object, "metadata")
      |> Emoji.Formatter.demojify()
+     |> HtmlEntities.decode()
      |> Formatter.truncate()
    end
  
    def scrub_html_and_truncate(content, max_length \\ 200) when is_binary(content) do
 +    content
 +    |> scrub_html
 +    |> Emoji.Formatter.demojify()
++    |> HtmlEntities.decode()
 +    |> Formatter.truncate(max_length)
 +  end
 +
 +  def scrub_html(content) when is_binary(content) do
      content
      # html content comes from DB already encoded, decode first and scrub after
      |> HtmlEntities.decode()
      |> String.replace(~r/<br\s?\/?>/, " ")
      |> HTML.strip_tags()
 -    |> Emoji.Formatter.demojify()
 -    |> HtmlEntities.decode()
 -    |> Formatter.truncate(max_length)
    end
  
 +  def scrub_html(content), do: content
 +
    def attachment_url(url) do
      MediaProxy.url(url)
    end

diff --combined lib/pleroma/web/router.ex
index b32cd7c90c4ed422a42495ff189aab509d24517a,9654ab8a3fe7402c358edc8654bffb9a7c6c487b..787d300fbf2ef2dddaf7dc97fdf883e83fb2e2e3
--- 1/lib/pleroma/web/router.ex
--- 2/lib/pleroma/web/router.ex
+++ b/lib/pleroma/web/router.ex
@@@ -229,9 -229,9 +229,9 @@@ defmodule Pleroma.Web.Router d
      pipe_through(:pleroma_html)
  
      post("/main/ostatus", UtilController, :remote_subscribe)
-     get("/ostatus_subscribe", UtilController, :remote_follow)
+     get("/ostatus_subscribe", RemoteFollowController, :follow)
  
-     post("/ostatus_subscribe", UtilController, :do_remote_follow)
+     post("/ostatus_subscribe", RemoteFollowController, :do_follow)
    end
  
    scope "/api/pleroma", Pleroma.Web.TwitterAPI do
@@@ -527,10 -527,8 +527,10 @@@
      get("/notice/:id", OStatus.OStatusController, :notice)
      get("/notice/:id/embed_player", OStatus.OStatusController, :notice_player)
  
 -    get("/users/:nickname/feed", Feed.FeedController, :feed)
 -    get("/users/:nickname", Feed.FeedController, :feed_redirect)
 +    get("/users/:nickname/feed", Feed.UserController, :feed, as: :user_feed)
 +    get("/users/:nickname", Feed.UserController, :feed_redirect, as: :user_feed)
 +
 +    get("/tags/:tag", Feed.TagController, :feed, as: :tag_feed)
    end
  
    scope "/", Pleroma.Web do

diff --combined test/user_test.exs
index 6be2281acad6b92a48b74a0850a3fa7c58ab563f,9da1e02a955977109bc6726c210afebdd422b84f..190b03645bb96e9a7b3ef9b486227ec22112d0f4
--- 1/test/user_test.exs
--- 2/test/user_test.exs
+++ b/test/user_test.exs
@@@ -17,6 -17,7 +17,7 @@@ defmodule Pleroma.UserTest d
  
    import Mock
    import Pleroma.Factory
+   import ExUnit.CaptureLog
  
    setup_all do
      Tesla.Mock.mock_global(fn env -> apply(HttpRequestMock, :request, [env]) end)
@@@ -26,6 -27,42 +27,42 @@@
    clear_config([:instance, :account_activation_required])
  
    describe "service actors" do
+     test "returns updated invisible actor" do
+       uri = "#{Pleroma.Web.Endpoint.url()}/relay"
+       followers_uri = "#{uri}/followers"
+ 
+       insert(
+         :user,
+         %{
+           nickname: "relay",
+           invisible: false,
+           local: true,
+           ap_id: uri,
+           follower_address: followers_uri
+         }
+       )
+ 
+       actor = User.get_or_create_service_actor_by_ap_id(uri, "relay")
+       assert actor.invisible
+     end
+ 
+     test "returns relay user" do
+       uri = "#{Pleroma.Web.Endpoint.url()}/relay"
+       followers_uri = "#{uri}/followers"
+ 
+       assert %User{
+                nickname: "relay",
+                invisible: true,
+                local: true,
+                ap_id: ^uri,
+                follower_address: ^followers_uri
+              } = User.get_or_create_service_actor_by_ap_id(uri, "relay")
+ 
+       assert capture_log(fn ->
+                refute User.get_or_create_service_actor_by_ap_id("/relay", "relay")
+              end) =~ "Cannot create service actor:"
+     end
+ 
      test "returns invisible actor" do
        uri = "#{Pleroma.Web.Endpoint.url()}/internal/fetch-test"
        followers_uri = "#{uri}/followers"
@@@ -548,7 -585,7 +585,7 @@@
      user = insert(:user)
  
      assert User.ap_id(user) ==
 -             Pleroma.Web.Router.Helpers.feed_url(
 +             Pleroma.Web.Router.Helpers.user_feed_url(
                 Pleroma.Web.Endpoint,
                 :feed_redirect,
                 user.nickname
@@@ -559,7 -596,7 +596,7 @@@
      user = insert(:user)
  
      assert User.ap_followers(user) ==
 -             Pleroma.Web.Router.Helpers.feed_url(
 +             Pleroma.Web.Router.Helpers.user_feed_url(
                 Pleroma.Web.Endpoint,
                 :feed_redirect,
                 user.nickname

diff --combined test/web/feed/tag_controller_test.exs
index efc5880704668633c4df30e5c8d20e1532501de2,0000000000000000000000000000000000000000..a56a1873828b04f44b8d23887fa670b9d82a136e
mode 100644,000000..100644
--- 1/test/web/feed/tag_controller_test.exs
--- /dev/null
+++ b/test/web/feed/tag_controller_test.exs
@@@ -1,89 -1,0 +1,101 @@@
 +# Pleroma: A lightweight social networking server
 +# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
 +# SPDX-License-Identifier: AGPL-3.0-only
 +
 +defmodule Pleroma.Web.Feed.TagControllerTest do
 +  use Pleroma.Web.ConnCase
 +
 +  import Pleroma.Factory
 +  import SweetXml
 +
 +  alias Pleroma.Web.Feed.FeedView
 +
 +  clear_config([:feed])
 +
 +  test "gets a feed", %{conn: conn} do
 +    Pleroma.Config.put(
 +      [:feed, :post_title],
 +      %{max_length: 25, omission: "..."}
 +    )
 +
 +    user = insert(:user)
 +    {:ok, activity1} = Pleroma.Web.CommonAPI.post(user, %{"status" => "yeah #PleromaArt"})
 +
 +    object = Pleroma.Object.normalize(activity1)
 +
 +    object_data =
 +      Map.put(object.data, "attachment", [
 +        %{
 +          "url" => [
 +            %{
 +              "href" =>
 +                "https://peertube.moe/static/webseed/df5f464b-be8d-46fb-ad81-2d4c2d1630e3-480.mp4",
 +              "mediaType" => "video/mp4",
 +              "type" => "Link"
 +            }
 +          ]
 +        }
 +      ])
 +
 +    object
 +    |> Ecto.Changeset.change(data: object_data)
 +    |> Pleroma.Repo.update()
 +
 +    {:ok, activity2} =
 +      Pleroma.Web.CommonAPI.post(user, %{"status" => "42 This is :moominmamma #PleromaArt"})
 +
 +    {:ok, _activity3} = Pleroma.Web.CommonAPI.post(user, %{"status" => "This is :moominmamma"})
 +
 +    response =
 +      conn
 +      |> put_req_header("content-type", "application/atom+xml")
 +      |> get(tag_feed_path(conn, :feed, "pleromaart.rss"))
 +      |> response(200)
 +
 +    xml = parse(response)
 +    assert xpath(xml, ~x"//channel/title/text()") == '#pleromaart'
 +
 +    assert xpath(xml, ~x"//channel/description/text()"s) ==
 +             "These are public toots tagged with #pleromaart. You can interact with them if you have an account anywhere in the fediverse."
 +
 +    assert xpath(xml, ~x"//channel/link/text()") ==
 +             '#{Pleroma.Web.base_url()}/tags/pleromaart.rss'
 +
 +    assert xpath(xml, ~x"//channel/webfeeds:logo/text()") ==
 +             '#{Pleroma.Web.base_url()}/static/logo.png'
 +
 +    assert xpath(xml, ~x"//channel/item/title/text()"l) == [
 +             '42 This is :moominmamm...',
 +             'yeah #PleromaArt'
 +           ]
 +
 +    assert xpath(xml, ~x"//channel/item/pubDate/text()"sl) == [
 +             FeedView.pub_date(activity1.data["published"]),
 +             FeedView.pub_date(activity2.data["published"])
 +           ]
 +
 +    assert xpath(xml, ~x"//channel/item/enclosure/@url"sl) == [
 +             "https://peertube.moe/static/webseed/df5f464b-be8d-46fb-ad81-2d4c2d1630e3-480.mp4"
 +           ]
 +
 +    obj1 = Pleroma.Object.normalize(activity1)
 +    obj2 = Pleroma.Object.normalize(activity2)
 +
 +    assert xpath(xml, ~x"//channel/item/description/text()"sl) == [
 +             HtmlEntities.decode(FeedView.activity_content(obj2)),
 +             HtmlEntities.decode(FeedView.activity_content(obj1))
 +           ]
++
++    response =
++      conn
++      |> put_req_header("content-type", "application/atom+xml")
++      |> get(tag_feed_path(conn, :feed, "pleromaart"))
++      |> response(200)
++
++    xml = parse(response)
++    assert xpath(xml, ~x"//channel/title/text()") == '#pleromaart'
++
++    assert xpath(xml, ~x"//channel/description/text()"s) ==
++             "These are public toots tagged with #pleromaart. You can interact with them if you have an account anywhere in the fediverse."
 +  end
 +end

diff --combined test/web/twitter_api/util_controller_test.exs
index 43299e147b3f5d9ec67035dda40215fd16457f33,8418fd071f26e7eece7ea04d7d48afaeff77427e..5d60c0d51865f1c94b3c29f051f4a48d2af96880
--- 1/test/web/twitter_api/util_controller_test.exs
--- 2/test/web/twitter_api/util_controller_test.exs
+++ b/test/web/twitter_api/util_controller_test.exs
@@@ -6,11 -6,11 +6,9 @@@ defmodule Pleroma.Web.TwitterAPI.UtilCo
    use Pleroma.Web.ConnCase
    use Oban.Testing, repo: Pleroma.Repo
  
-   alias Pleroma.Repo
    alias Pleroma.Tests.ObanHelpers
    alias Pleroma.User
--  alias Pleroma.Web.CommonAPI
-   import ExUnit.CaptureLog
+ 
 -  import ExUnit.CaptureLog
    import Pleroma.Factory
    import Mock
  
@@@ -24,21 -24,20 +22,20 @@@
    clear_config([:user, :deny_follow_blocked])
  
    describe "POST /api/pleroma/follow_import" do
+     setup do: oauth_access(["follow"])
+ 
      test "it returns HTTP 200", %{conn: conn} do
-       user1 = insert(:user)
        user2 = insert(:user)
  
        response =
          conn
-         |> assign(:user, user1)
          |> post("/api/pleroma/follow_import", %{"list" => "#{user2.ap_id}"})
          |> json_response(:ok)
  
        assert response == "job started"
      end
  
-     test "it imports follow lists from file", %{conn: conn} do
-       user1 = insert(:user)
+     test "it imports follow lists from file", %{user: user1, conn: conn} do
        user2 = insert(:user)
  
        with_mocks([
@@@ -49,7 -48,6 +46,6 @@@
        ]) do
          response =
            conn
-           |> assign(:user, user1)
            |> post("/api/pleroma/follow_import", %{"list" => %Plug.Upload{path: "follow_list.txt"}})
            |> json_response(:ok)
  
@@@ -67,12 -65,10 +63,10 @@@
      end
  
      test "it imports new-style mastodon follow lists", %{conn: conn} do
-       user1 = insert(:user)
        user2 = insert(:user)
  
        response =
          conn
-         |> assign(:user, user1)
          |> post("/api/pleroma/follow_import", %{
            "list" => "Account address,Show boosts\n#{user2.ap_id},true"
          })
@@@ -81,7 -77,7 +75,7 @@@
        assert response == "job started"
      end
  
-     test "requires 'follow' or 'write:follows' permissions", %{conn: conn} do
+     test "requires 'follow' or 'write:follows' permissions" do
        token1 = insert(:oauth_token, scopes: ["read", "write"])
        token2 = insert(:oauth_token, scopes: ["follow"])
        token3 = insert(:oauth_token, scopes: ["something"])
@@@ -89,7 -85,7 +83,7 @@@
  
        for token <- [token1, token2, token3] do
          conn =
-           conn
+           build_conn()
            |> put_req_header("authorization", "Bearer #{token.token}")
            |> post("/api/pleroma/follow_import", %{"list" => "#{another_user.ap_id}"})
  
@@@ -104,21 -100,21 +98,21 @@@
    end
  
    describe "POST /api/pleroma/blocks_import" do
+     # Note: "follow" or "write:blocks" permission is required
+     setup do: oauth_access(["write:blocks"])
+ 
      test "it returns HTTP 200", %{conn: conn} do
-       user1 = insert(:user)
        user2 = insert(:user)
  
        response =
          conn
-         |> assign(:user, user1)
          |> post("/api/pleroma/blocks_import", %{"list" => "#{user2.ap_id}"})
          |> json_response(:ok)
  
        assert response == "job started"
      end
  
-     test "it imports blocks users from file", %{conn: conn} do
-       user1 = insert(:user)
+     test "it imports blocks users from file", %{user: user1, conn: conn} do
        user2 = insert(:user)
        user3 = insert(:user)
  
@@@ -127,7 -123,6 +121,6 @@@
        ]) do
          response =
            conn
-           |> assign(:user, user1)
            |> post("/api/pleroma/blocks_import", %{"list" => %Plug.Upload{path: "blocks_list.txt"}})
            |> json_response(:ok)
  
@@@ -146,18 -141,17 +139,17 @@@
    end
  
    describe "PUT /api/pleroma/notification_settings" do
-     test "it updates notification settings", %{conn: conn} do
-       user = insert(:user)
+     setup do: oauth_access(["write:accounts"])
  
+     test "it updates notification settings", %{user: user, conn: conn} do
        conn
-       |> assign(:user, user)
        |> put("/api/pleroma/notification_settings", %{
          "followers" => false,
          "bar" => 1
        })
        |> json_response(:ok)
  
-       user = Repo.get(User, user.id)
+       user = refresh_record(user)
  
        assert %Pleroma.User.NotificationSetting{
                 followers: false,
@@@ -168,11 -162,8 +160,8 @@@
               } == user.notification_settings
      end
  
-     test "it update notificatin privacy option", %{conn: conn} do
-       user = insert(:user)
- 
+     test "it updates notification privacy option", %{user: user, conn: conn} do
        conn
-       |> assign(:user, user)
        |> put("/api/pleroma/notification_settings", %{"privacy_option" => "1"})
        |> json_response(:ok)
  
@@@ -328,196 -319,6 +317,6 @@@
      end
    end
  
-   describe "GET /ostatus_subscribe - remote_follow/2" do
-     test "adds status to pleroma instance if the `acct` is a status", %{conn: conn} do
-       conn =
-         get(
-           conn,
-           "/ostatus_subscribe?acct=https://mastodon.social/users/emelie/statuses/101849165031453009"
-         )
- 
-       assert redirected_to(conn) =~ "/notice/"
-     end
- 
-     test "show follow account page if the `acct` is a account link", %{conn: conn} do
-       response =
-         get(
-           conn,
-           "/ostatus_subscribe?acct=https://mastodon.social/users/emelie"
-         )
- 
-       assert html_response(response, 200) =~ "Log in to follow"
-     end
- 
-     test "show follow page if the `acct` is a account link", %{conn: conn} do
-       user = insert(:user)
- 
-       response =
-         conn
-         |> assign(:user, user)
-         |> get("/ostatus_subscribe?acct=https://mastodon.social/users/emelie")
- 
-       assert html_response(response, 200) =~ "Remote follow"
-     end
- 
-     test "show follow page with error when user cannot fecth by `acct` link", %{conn: conn} do
-       user = insert(:user)
- 
-       assert capture_log(fn ->
-                response =
-                  conn
-                  |> assign(:user, user)
-                  |> get("/ostatus_subscribe?acct=https://mastodon.social/users/not_found")
- 
-                assert html_response(response, 200) =~ "Error fetching user"
-              end) =~ "Object has been deleted"
-     end
-   end
- 
-   describe "POST /ostatus_subscribe - do_remote_follow/2 with assigned user " do
-     test "follows user", %{conn: conn} do
-       user = insert(:user)
-       user2 = insert(:user)
- 
-       response =
-         conn
-         |> assign(:user, user)
-         |> post("/ostatus_subscribe", %{"user" => %{"id" => user2.id}})
-         |> response(200)
- 
-       assert response =~ "Account followed!"
-       assert user2.follower_address in User.following(user)
-     end
- 
-     test "returns error when user is deactivated", %{conn: conn} do
-       user = insert(:user, deactivated: true)
-       user2 = insert(:user)
- 
-       response =
-         conn
-         |> assign(:user, user)
-         |> post("/ostatus_subscribe", %{"user" => %{"id" => user2.id}})
-         |> response(200)
- 
-       assert response =~ "Error following account"
-     end
- 
-     test "returns error when user is blocked", %{conn: conn} do
-       Pleroma.Config.put([:user, :deny_follow_blocked], true)
-       user = insert(:user)
-       user2 = insert(:user)
- 
-       {:ok, _user_block} = Pleroma.User.block(user2, user)
- 
-       response =
-         conn
-         |> assign(:user, user)
-         |> post("/ostatus_subscribe", %{"user" => %{"id" => user2.id}})
-         |> response(200)
- 
-       assert response =~ "Error following account"
-     end
- 
-     test "returns error when followee not found", %{conn: conn} do
-       user = insert(:user)
- 
-       response =
-         conn
-         |> assign(:user, user)
-         |> post("/ostatus_subscribe", %{"user" => %{"id" => "jimm"}})
-         |> response(200)
- 
-       assert response =~ "Error following account"
-     end
- 
-     test "returns success result when user already in followers", %{conn: conn} do
-       user = insert(:user)
-       user2 = insert(:user)
-       {:ok, _, _, _} = CommonAPI.follow(user, user2)
- 
-       response =
-         conn
-         |> assign(:user, refresh_record(user))
-         |> post("/ostatus_subscribe", %{"user" => %{"id" => user2.id}})
-         |> response(200)
- 
-       assert response =~ "Account followed!"
-     end
-   end
- 
-   describe "POST /ostatus_subscribe - do_remote_follow/2 without assigned user " do
-     test "follows", %{conn: conn} do
-       user = insert(:user)
-       user2 = insert(:user)
- 
-       response =
-         conn
-         |> post("/ostatus_subscribe", %{
-           "authorization" => %{"name" => user.nickname, "password" => "test", "id" => user2.id}
-         })
-         |> response(200)
- 
-       assert response =~ "Account followed!"
-       assert user2.follower_address in User.following(user)
-     end
- 
-     test "returns error when followee not found", %{conn: conn} do
-       user = insert(:user)
- 
-       response =
-         conn
-         |> post("/ostatus_subscribe", %{
-           "authorization" => %{"name" => user.nickname, "password" => "test", "id" => "jimm"}
-         })
-         |> response(200)
- 
-       assert response =~ "Error following account"
-     end
- 
-     test "returns error when login invalid", %{conn: conn} do
-       user = insert(:user)
- 
-       response =
-         conn
-         |> post("/ostatus_subscribe", %{
-           "authorization" => %{"name" => "jimm", "password" => "test", "id" => user.id}
-         })
-         |> response(200)
- 
-       assert response =~ "Wrong username or password"
-     end
- 
-     test "returns error when password invalid", %{conn: conn} do
-       user = insert(:user)
-       user2 = insert(:user)
- 
-       response =
-         conn
-         |> post("/ostatus_subscribe", %{
-           "authorization" => %{"name" => user.nickname, "password" => "42", "id" => user2.id}
-         })
-         |> response(200)
- 
-       assert response =~ "Wrong username or password"
-     end
- 
-     test "returns error when user is blocked", %{conn: conn} do
-       Pleroma.Config.put([:user, :deny_follow_blocked], true)
-       user = insert(:user)
-       user2 = insert(:user)
-       {:ok, _user_block} = Pleroma.User.block(user2, user)
- 
-       response =
-         conn
-         |> post("/ostatus_subscribe", %{
-           "authorization" => %{"name" => user.nickname, "password" => "test", "id" => user2.id}
-         })
-         |> response(200)
- 
-       assert response =~ "Error following account"
-     end
-   end
- 
    describe "GET /api/pleroma/healthcheck" do
      clear_config([:instance, :healthcheck])
  
@@@ -552,7 -353,7 +351,7 @@@
        end
      end
  
-     test "returns 503 when healthcheck enabled and  health is false", %{conn: conn} do
+     test "returns 503 when healthcheck enabled and health is false", %{conn: conn} do
        Pleroma.Config.put([:instance, :healthcheck], true)
  
        with_mock Pleroma.Healthcheck,
@@@ -574,12 -375,11 +373,11 @@@
    end
  
    describe "POST /api/pleroma/disable_account" do
-     test "it returns HTTP 200", %{conn: conn} do
-       user = insert(:user)
+     setup do: oauth_access(["write:accounts"])
  
+     test "with valid permissions and password, it disables the account", %{conn: conn, user: user} do
        response =
          conn
-         |> assign(:user, user)
          |> post("/api/pleroma/disable_account", %{"password" => "test"})
          |> json_response(:ok)
  
@@@ -591,12 -391,11 +389,11 @@@
        assert user.deactivated == true
      end
  
-     test "it returns returns when password invalid", %{conn: conn} do
+     test "with valid permissions and invalid password, it returns an error", %{conn: conn} do
        user = insert(:user)
  
        response =
          conn
-         |> assign(:user, user)
          |> post("/api/pleroma/disable_account", %{"password" => "test1"})
          |> json_response(:ok)
  
@@@ -666,7 -465,7 +463,7 @@@
                 "https://social.heldscal.la/main/ostatussub?profile=#{user.ap_id}"
      end
  
-     test "it renders form with error when use not found", %{conn: conn} do
+     test "it renders form with error when user not found", %{conn: conn} do
        user2 = insert(:user, ap_id: "shp@social.heldscal.la")
  
        response =
@@@ -691,29 -490,21 +488,21 @@@
      end
    end
  
-   defp with_credentials(conn, username, password) do
-     header_content = "Basic " <> Base.encode64("#{username}:#{password}")
-     put_req_header(conn, "authorization", header_content)
-   end
- 
-   defp valid_user(_context) do
-     user = insert(:user)
-     [user: user]
-   end
- 
    describe "POST /api/pleroma/change_email" do
-     setup [:valid_user]
+     setup do: oauth_access(["write:accounts"])
+ 
+     test "without permissions", %{conn: conn} do
+       conn =
+         conn
+         |> assign(:token, nil)
+         |> post("/api/pleroma/change_email")
  
-     test "without credentials", %{conn: conn} do
-       conn = post(conn, "/api/pleroma/change_email")
-       assert json_response(conn, 403) == %{"error" => "Invalid credentials."}
+       assert json_response(conn, 403) == %{"error" => "Insufficient permissions: write:accounts."}
      end
  
-     test "with credentials and invalid password", %{conn: conn, user: current_user} do
+     test "with proper permissions and invalid password", %{conn: conn} do
        conn =
-         conn
-         |> with_credentials(current_user.nickname, "test")
-         |> post("/api/pleroma/change_email", %{
+         post(conn, "/api/pleroma/change_email", %{
            "password" => "hi",
            "email" => "test@test.com"
          })
@@@ -721,14 -512,11 +510,11 @@@
        assert json_response(conn, 200) == %{"error" => "Invalid password."}
      end
  
-     test "with credentials, valid password and invalid email", %{
-       conn: conn,
-       user: current_user
+     test "with proper permissions, valid password and invalid email", %{
+       conn: conn
      } do
        conn =
-         conn
-         |> with_credentials(current_user.nickname, "test")
-         |> post("/api/pleroma/change_email", %{
+         post(conn, "/api/pleroma/change_email", %{
            "password" => "test",
            "email" => "foobar"
          })
@@@ -736,28 -524,22 +522,22 @@@
        assert json_response(conn, 200) == %{"error" => "Email has invalid format."}
      end
  
-     test "with credentials, valid password and no email", %{
-       conn: conn,
-       user: current_user
+     test "with proper permissions, valid password and no email", %{
+       conn: conn
      } do
        conn =
-         conn
-         |> with_credentials(current_user.nickname, "test")
-         |> post("/api/pleroma/change_email", %{
+         post(conn, "/api/pleroma/change_email", %{
            "password" => "test"
          })
  
        assert json_response(conn, 200) == %{"error" => "Email can't be blank."}
      end
  
-     test "with credentials, valid password and blank email", %{
-       conn: conn,
-       user: current_user
+     test "with proper permissions, valid password and blank email", %{
+       conn: conn
      } do
        conn =
-         conn
-         |> with_credentials(current_user.nickname, "test")
-         |> post("/api/pleroma/change_email", %{
+         post(conn, "/api/pleroma/change_email", %{
            "password" => "test",
            "email" => ""
          })
@@@ -765,16 -547,13 +545,13 @@@
        assert json_response(conn, 200) == %{"error" => "Email can't be blank."}
      end
  
-     test "with credentials, valid password and non unique email", %{
-       conn: conn,
-       user: current_user
+     test "with proper permissions, valid password and non unique email", %{
+       conn: conn
      } do
        user = insert(:user)
  
        conn =
-         conn
-         |> with_credentials(current_user.nickname, "test")
-         |> post("/api/pleroma/change_email", %{
+         post(conn, "/api/pleroma/change_email", %{
            "password" => "test",
            "email" => user.email
          })
@@@ -782,14 -561,11 +559,11 @@@
        assert json_response(conn, 200) == %{"error" => "Email has already been taken."}
      end
  
-     test "with credentials, valid password and valid email", %{
-       conn: conn,
-       user: current_user
+     test "with proper permissions, valid password and valid email", %{
+       conn: conn
      } do
        conn =
-         conn
-         |> with_credentials(current_user.nickname, "test")
-         |> post("/api/pleroma/change_email", %{
+         post(conn, "/api/pleroma/change_email", %{
            "password" => "test",
            "email" => "cofe@foobar.com"
          })
@@@ -799,18 -575,20 +573,20 @@@
    end
  
    describe "POST /api/pleroma/change_password" do
-     setup [:valid_user]
+     setup do: oauth_access(["write:accounts"])
  
-     test "without credentials", %{conn: conn} do
-       conn = post(conn, "/api/pleroma/change_password")
-       assert json_response(conn, 403) == %{"error" => "Invalid credentials."}
+     test "without permissions", %{conn: conn} do
+       conn =
+         conn
+         |> assign(:token, nil)
+         |> post("/api/pleroma/change_password")
+ 
+       assert json_response(conn, 403) == %{"error" => "Insufficient permissions: write:accounts."}
      end
  
-     test "with credentials and invalid password", %{conn: conn, user: current_user} do
+     test "with proper permissions and invalid password", %{conn: conn} do
        conn =
-         conn
-         |> with_credentials(current_user.nickname, "test")
-         |> post("/api/pleroma/change_password", %{
+         post(conn, "/api/pleroma/change_password", %{
            "password" => "hi",
            "new_password" => "newpass",
            "new_password_confirmation" => "newpass"
@@@ -819,14 -597,12 +595,12 @@@
        assert json_response(conn, 200) == %{"error" => "Invalid password."}
      end
  
-     test "with credentials, valid password and new password and confirmation not matching", %{
-       conn: conn,
-       user: current_user
-     } do
+     test "with proper permissions, valid password and new password and confirmation not matching",
+          %{
+            conn: conn
+          } do
        conn =
-         conn
-         |> with_credentials(current_user.nickname, "test")
-         |> post("/api/pleroma/change_password", %{
+         post(conn, "/api/pleroma/change_password", %{
            "password" => "test",
            "new_password" => "newpass",
            "new_password_confirmation" => "notnewpass"
@@@ -837,14 -613,11 +611,11 @@@
               }
      end
  
-     test "with credentials, valid password and invalid new password", %{
-       conn: conn,
-       user: current_user
+     test "with proper permissions, valid password and invalid new password", %{
+       conn: conn
      } do
        conn =
-         conn
-         |> with_credentials(current_user.nickname, "test")
-         |> post("/api/pleroma/change_password", %{
+         post(conn, "/api/pleroma/change_password", %{
            "password" => "test",
            "new_password" => "",
            "new_password_confirmation" => ""
@@@ -855,47 -628,46 +626,46 @@@
               }
      end
  
-     test "with credentials, valid password and matching new password and confirmation", %{
+     test "with proper permissions, valid password and matching new password and confirmation", %{
        conn: conn,
-       user: current_user
+       user: user
      } do
        conn =
-         conn
-         |> with_credentials(current_user.nickname, "test")
-         |> post("/api/pleroma/change_password", %{
+         post(conn, "/api/pleroma/change_password", %{
            "password" => "test",
            "new_password" => "newpass",
            "new_password_confirmation" => "newpass"
          })
  
        assert json_response(conn, 200) == %{"status" => "success"}
-       fetched_user = User.get_cached_by_id(current_user.id)
+       fetched_user = User.get_cached_by_id(user.id)
        assert Comeonin.Pbkdf2.checkpw("newpass", fetched_user.password_hash) == true
      end
    end
  
    describe "POST /api/pleroma/delete_account" do
-     setup [:valid_user]
- 
-     test "without credentials", %{conn: conn} do
-       conn = post(conn, "/api/pleroma/delete_account")
-       assert json_response(conn, 403) == %{"error" => "Invalid credentials."}
-     end
+     setup do: oauth_access(["write:accounts"])
  
-     test "with credentials and invalid password", %{conn: conn, user: current_user} do
+     test "without permissions", %{conn: conn} do
        conn =
          conn
-         |> with_credentials(current_user.nickname, "test")
-         |> post("/api/pleroma/delete_account", %{"password" => "hi"})
+         |> assign(:token, nil)
+         |> post("/api/pleroma/delete_account")
  
-       assert json_response(conn, 200) == %{"error" => "Invalid password."}
+       assert json_response(conn, 403) ==
+                %{"error" => "Insufficient permissions: write:accounts."}
      end
  
-     test "with credentials and valid password", %{conn: conn, user: current_user} do
-       conn =
-         conn
-         |> with_credentials(current_user.nickname, "test")
-         |> post("/api/pleroma/delete_account", %{"password" => "test"})
+     test "with proper permissions and wrong or missing password", %{conn: conn} do
+       for params <- [%{"password" => "hi"}, %{}] do
+         ret_conn = post(conn, "/api/pleroma/delete_account", params)
+ 
+         assert json_response(ret_conn, 200) == %{"error" => "Invalid password."}
+       end
+     end
+ 
+     test "with proper permissions and valid password", %{conn: conn} do
+       conn = post(conn, "/api/pleroma/delete_account", %{"password" => "test"})
  
        assert json_response(conn, 200) == %{"status" => "success"}
      end