From 1f6ed4f86ab2aa98bb271b40bf381370fab4fdf2 Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Thu, 5 Jul 2018 18:31:35 +0200 Subject: Add more granular OAuth scopes (#7929) * Add more granular OAuth scopes * Add human-readable descriptions of the new scopes * Ensure new scopes look good on the app UI * Add tests * Group scopes in screen and color-code dangerous ones * Fix wrong extra scope --- .../controllers/api/v1/accounts_controller_spec.rb | 45 ++++++++++++++++++++-- 1 file changed, 42 insertions(+), 3 deletions(-) (limited to 'spec/controllers/api/v1/accounts_controller_spec.rb') diff --git a/spec/controllers/api/v1/accounts_controller_spec.rb b/spec/controllers/api/v1/accounts_controller_spec.rb index 7a9e0f8e4..3e54e88a5 100644 --- a/spec/controllers/api/v1/accounts_controller_spec.rb +++ b/spec/controllers/api/v1/accounts_controller_spec.rb @@ -3,21 +3,38 @@ require 'rails_helper' RSpec.describe Api::V1::AccountsController, type: :controller do render_views - let(:user) { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } - let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'follow read') } + let(:user) { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } + let(:scopes) { '' } + let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: scopes) } before do allow(controller).to receive(:doorkeeper_token) { token } end + shared_examples 'forbidden for wrong scope' do |wrong_scope| + let(:scopes) { wrong_scope } + + it 'returns http forbidden' do + expect(response).to have_http_status(403) + end + end + describe 'GET #show' do - it 'returns http success' do + let(:scopes) { 'read:accounts' } + + before do get :show, params: { id: user.account.id } + end + + it 'returns http success' do expect(response).to have_http_status(200) end + + it_behaves_like 'forbidden for wrong scope', 'write:statuses' end describe 'POST #follow' do + let(:scopes) { 'write:follows' } let(:other_account) { Fabricate(:user, email: 'bob@example.com', account: Fabricate(:account, username: 'bob', locked: locked)).account } before do @@ -41,6 +58,8 @@ RSpec.describe Api::V1::AccountsController, type: :controller do it 'creates a following relation between user and target user' do expect(user.account.following?(other_account)).to be true end + + it_behaves_like 'forbidden for wrong scope', 'read:accounts' end context 'with locked account' do @@ -60,10 +79,13 @@ RSpec.describe Api::V1::AccountsController, type: :controller do it 'creates a follow request relation between user and target user' do expect(user.account.requested?(other_account)).to be true end + + it_behaves_like 'forbidden for wrong scope', 'read:accounts' end end describe 'POST #unfollow' do + let(:scopes) { 'write:follows' } let(:other_account) { Fabricate(:user, email: 'bob@example.com', account: Fabricate(:account, username: 'bob')).account } before do @@ -78,9 +100,12 @@ RSpec.describe Api::V1::AccountsController, type: :controller do it 'removes the following relation between user and target user' do expect(user.account.following?(other_account)).to be false end + + it_behaves_like 'forbidden for wrong scope', 'read:accounts' end describe 'POST #block' do + let(:scopes) { 'write:blocks' } let(:other_account) { Fabricate(:user, email: 'bob@example.com', account: Fabricate(:account, username: 'bob')).account } before do @@ -99,9 +124,12 @@ RSpec.describe Api::V1::AccountsController, type: :controller do it 'creates a blocking relation' do expect(user.account.blocking?(other_account)).to be true end + + it_behaves_like 'forbidden for wrong scope', 'read:accounts' end describe 'POST #unblock' do + let(:scopes) { 'write:blocks' } let(:other_account) { Fabricate(:user, email: 'bob@example.com', account: Fabricate(:account, username: 'bob')).account } before do @@ -116,9 +144,12 @@ RSpec.describe Api::V1::AccountsController, type: :controller do it 'removes the blocking relation between user and target user' do expect(user.account.blocking?(other_account)).to be false end + + it_behaves_like 'forbidden for wrong scope', 'read:accounts' end describe 'POST #mute' do + let(:scopes) { 'write:mutes' } let(:other_account) { Fabricate(:user, email: 'bob@example.com', account: Fabricate(:account, username: 'bob')).account } before do @@ -141,9 +172,12 @@ RSpec.describe Api::V1::AccountsController, type: :controller do it 'mutes notifications' do expect(user.account.muting_notifications?(other_account)).to be true end + + it_behaves_like 'forbidden for wrong scope', 'read:accounts' end describe 'POST #mute with notifications set to false' do + let(:scopes) { 'write:mutes' } let(:other_account) { Fabricate(:user, email: 'bob@example.com', account: Fabricate(:account, username: 'bob')).account } before do @@ -166,9 +200,12 @@ RSpec.describe Api::V1::AccountsController, type: :controller do it 'does not mute notifications' do expect(user.account.muting_notifications?(other_account)).to be false end + + it_behaves_like 'forbidden for wrong scope', 'read:accounts' end describe 'POST #unmute' do + let(:scopes) { 'write:mutes' } let(:other_account) { Fabricate(:user, email: 'bob@example.com', account: Fabricate(:account, username: 'bob')).account } before do @@ -183,5 +220,7 @@ RSpec.describe Api::V1::AccountsController, type: :controller do it 'removes the muting relation between user and target user' do expect(user.account.muting?(other_account)).to be false end + + it_behaves_like 'forbidden for wrong scope', 'read:accounts' end end -- cgit