From 1f6ed4f86ab2aa98bb271b40bf381370fab4fdf2 Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Thu, 5 Jul 2018 18:31:35 +0200 Subject: Add more granular OAuth scopes (#7929) * Add more granular OAuth scopes * Add human-readable descriptions of the new scopes * Ensure new scopes look good on the app UI * Add tests * Group scopes in screen and color-code dangerous ones * Fix wrong extra scope --- .../api/v1/accounts/credentials_controller_spec.rb | 6 ++- .../accounts/follower_accounts_controller_spec.rb | 2 +- .../accounts/following_accounts_controller_spec.rb | 2 +- .../api/v1/accounts/lists_controller_spec.rb | 2 +- .../v1/accounts/relationships_controller_spec.rb | 2 +- .../api/v1/accounts/search_controller_spec.rb | 2 +- .../api/v1/accounts/statuses_controller_spec.rb | 2 +- .../controllers/api/v1/accounts_controller_spec.rb | 45 ++++++++++++++++++++-- spec/controllers/api/v1/blocks_controller_spec.rb | 14 ++++++- .../api/v1/domain_blocks_controller_spec.rb | 22 ++++++++++- .../api/v1/favourites_controller_spec.rb | 2 +- spec/controllers/api/v1/filter_controller_spec.rb | 8 +++- .../api/v1/follow_requests_controller_spec.rb | 8 +++- spec/controllers/api/v1/follows_controller_spec.rb | 2 +- .../api/v1/lists/accounts_controller_spec.rb | 7 +++- spec/controllers/api/v1/lists_controller_spec.rb | 12 +++++- spec/controllers/api/v1/media_controller_spec.rb | 2 +- spec/controllers/api/v1/mutes_controller_spec.rb | 2 +- .../api/v1/notifications_controller_spec.rb | 10 ++++- spec/controllers/api/v1/reports_controller_spec.rb | 5 ++- spec/controllers/api/v1/search_controller_spec.rb | 2 +- .../favourited_by_accounts_controller_spec.rb | 2 +- .../api/v1/statuses/favourites_controller_spec.rb | 2 +- .../api/v1/statuses/mutes_controller_spec.rb | 2 +- .../api/v1/statuses/pins_controller_spec.rb | 2 +- .../reblogged_by_accounts_controller_spec.rb | 2 +- .../api/v1/statuses/reblogs_controller_spec.rb | 2 +- .../controllers/api/v1/statuses_controller_spec.rb | 7 +++- .../api/v1/timelines/home_controller_spec.rb | 2 +- .../api/v1/timelines/list_controller_spec.rb | 2 +- spec/controllers/api/v2/search_controller_spec.rb | 22 +++++++++++ 31 files changed, 171 insertions(+), 33 deletions(-) create mode 100644 spec/controllers/api/v2/search_controller_spec.rb (limited to 'spec/controllers') diff --git a/spec/controllers/api/v1/accounts/credentials_controller_spec.rb b/spec/controllers/api/v1/accounts/credentials_controller_spec.rb index 9a52fd14c..727669886 100644 --- a/spec/controllers/api/v1/accounts/credentials_controller_spec.rb +++ b/spec/controllers/api/v1/accounts/credentials_controller_spec.rb @@ -4,7 +4,7 @@ describe Api::V1::Accounts::CredentialsController do render_views let(:user) { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } - let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read write') } + let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: scopes) } context 'with an oauth token' do before do @@ -12,6 +12,8 @@ describe Api::V1::Accounts::CredentialsController do end describe 'GET #show' do + let(:scopes) { 'read:accounts' } + it 'returns http success' do get :show expect(response).to have_http_status(200) @@ -19,6 +21,8 @@ describe Api::V1::Accounts::CredentialsController do end describe 'PATCH #update' do + let(:scopes) { 'write:accounts' } + describe 'with valid data' do before do allow(ActivityPub::UpdateDistributionWorker).to receive(:perform_async) diff --git a/spec/controllers/api/v1/accounts/follower_accounts_controller_spec.rb b/spec/controllers/api/v1/accounts/follower_accounts_controller_spec.rb index b47af4963..75e0570e9 100644 --- a/spec/controllers/api/v1/accounts/follower_accounts_controller_spec.rb +++ b/spec/controllers/api/v1/accounts/follower_accounts_controller_spec.rb @@ -4,7 +4,7 @@ describe Api::V1::Accounts::FollowerAccountsController do render_views let(:user) { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } - let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read') } + let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read:accounts') } before do Fabricate(:follow, target_account: user.account) diff --git a/spec/controllers/api/v1/accounts/following_accounts_controller_spec.rb b/spec/controllers/api/v1/accounts/following_accounts_controller_spec.rb index 29fd7cd5b..7f7105ad3 100644 --- a/spec/controllers/api/v1/accounts/following_accounts_controller_spec.rb +++ b/spec/controllers/api/v1/accounts/following_accounts_controller_spec.rb @@ -4,7 +4,7 @@ describe Api::V1::Accounts::FollowingAccountsController do render_views let(:user) { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } - let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read') } + let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read:accounts') } before do Fabricate(:follow, account: user.account) diff --git a/spec/controllers/api/v1/accounts/lists_controller_spec.rb b/spec/controllers/api/v1/accounts/lists_controller_spec.rb index df9fe0e34..baafea8e6 100644 --- a/spec/controllers/api/v1/accounts/lists_controller_spec.rb +++ b/spec/controllers/api/v1/accounts/lists_controller_spec.rb @@ -4,7 +4,7 @@ describe Api::V1::Accounts::ListsController do render_views let(:user) { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } - let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read') } + let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read:lists') } let(:account) { Fabricate(:account) } let(:list) { Fabricate(:list, account: user.account) } diff --git a/spec/controllers/api/v1/accounts/relationships_controller_spec.rb b/spec/controllers/api/v1/accounts/relationships_controller_spec.rb index 7e350da7e..fe715ff62 100644 --- a/spec/controllers/api/v1/accounts/relationships_controller_spec.rb +++ b/spec/controllers/api/v1/accounts/relationships_controller_spec.rb @@ -4,7 +4,7 @@ describe Api::V1::Accounts::RelationshipsController do render_views let(:user) { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } - let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read') } + let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read:follows') } before do allow(controller).to receive(:doorkeeper_token) { token } diff --git a/spec/controllers/api/v1/accounts/search_controller_spec.rb b/spec/controllers/api/v1/accounts/search_controller_spec.rb index dbc4b9f3e..8ff2b17de 100644 --- a/spec/controllers/api/v1/accounts/search_controller_spec.rb +++ b/spec/controllers/api/v1/accounts/search_controller_spec.rb @@ -4,7 +4,7 @@ RSpec.describe Api::V1::Accounts::SearchController, type: :controller do render_views let(:user) { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } - let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read') } + let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read:accounts') } before do allow(controller).to receive(:doorkeeper_token) { token } diff --git a/spec/controllers/api/v1/accounts/statuses_controller_spec.rb b/spec/controllers/api/v1/accounts/statuses_controller_spec.rb index 09bb46937..693cd1ac6 100644 --- a/spec/controllers/api/v1/accounts/statuses_controller_spec.rb +++ b/spec/controllers/api/v1/accounts/statuses_controller_spec.rb @@ -4,7 +4,7 @@ describe Api::V1::Accounts::StatusesController do render_views let(:user) { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } - let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read') } + let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read:statuses') } before do allow(controller).to receive(:doorkeeper_token) { token } diff --git a/spec/controllers/api/v1/accounts_controller_spec.rb b/spec/controllers/api/v1/accounts_controller_spec.rb index 7a9e0f8e4..3e54e88a5 100644 --- a/spec/controllers/api/v1/accounts_controller_spec.rb +++ b/spec/controllers/api/v1/accounts_controller_spec.rb @@ -3,21 +3,38 @@ require 'rails_helper' RSpec.describe Api::V1::AccountsController, type: :controller do render_views - let(:user) { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } - let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'follow read') } + let(:user) { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } + let(:scopes) { '' } + let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: scopes) } before do allow(controller).to receive(:doorkeeper_token) { token } end + shared_examples 'forbidden for wrong scope' do |wrong_scope| + let(:scopes) { wrong_scope } + + it 'returns http forbidden' do + expect(response).to have_http_status(403) + end + end + describe 'GET #show' do - it 'returns http success' do + let(:scopes) { 'read:accounts' } + + before do get :show, params: { id: user.account.id } + end + + it 'returns http success' do expect(response).to have_http_status(200) end + + it_behaves_like 'forbidden for wrong scope', 'write:statuses' end describe 'POST #follow' do + let(:scopes) { 'write:follows' } let(:other_account) { Fabricate(:user, email: 'bob@example.com', account: Fabricate(:account, username: 'bob', locked: locked)).account } before do @@ -41,6 +58,8 @@ RSpec.describe Api::V1::AccountsController, type: :controller do it 'creates a following relation between user and target user' do expect(user.account.following?(other_account)).to be true end + + it_behaves_like 'forbidden for wrong scope', 'read:accounts' end context 'with locked account' do @@ -60,10 +79,13 @@ RSpec.describe Api::V1::AccountsController, type: :controller do it 'creates a follow request relation between user and target user' do expect(user.account.requested?(other_account)).to be true end + + it_behaves_like 'forbidden for wrong scope', 'read:accounts' end end describe 'POST #unfollow' do + let(:scopes) { 'write:follows' } let(:other_account) { Fabricate(:user, email: 'bob@example.com', account: Fabricate(:account, username: 'bob')).account } before do @@ -78,9 +100,12 @@ RSpec.describe Api::V1::AccountsController, type: :controller do it 'removes the following relation between user and target user' do expect(user.account.following?(other_account)).to be false end + + it_behaves_like 'forbidden for wrong scope', 'read:accounts' end describe 'POST #block' do + let(:scopes) { 'write:blocks' } let(:other_account) { Fabricate(:user, email: 'bob@example.com', account: Fabricate(:account, username: 'bob')).account } before do @@ -99,9 +124,12 @@ RSpec.describe Api::V1::AccountsController, type: :controller do it 'creates a blocking relation' do expect(user.account.blocking?(other_account)).to be true end + + it_behaves_like 'forbidden for wrong scope', 'read:accounts' end describe 'POST #unblock' do + let(:scopes) { 'write:blocks' } let(:other_account) { Fabricate(:user, email: 'bob@example.com', account: Fabricate(:account, username: 'bob')).account } before do @@ -116,9 +144,12 @@ RSpec.describe Api::V1::AccountsController, type: :controller do it 'removes the blocking relation between user and target user' do expect(user.account.blocking?(other_account)).to be false end + + it_behaves_like 'forbidden for wrong scope', 'read:accounts' end describe 'POST #mute' do + let(:scopes) { 'write:mutes' } let(:other_account) { Fabricate(:user, email: 'bob@example.com', account: Fabricate(:account, username: 'bob')).account } before do @@ -141,9 +172,12 @@ RSpec.describe Api::V1::AccountsController, type: :controller do it 'mutes notifications' do expect(user.account.muting_notifications?(other_account)).to be true end + + it_behaves_like 'forbidden for wrong scope', 'read:accounts' end describe 'POST #mute with notifications set to false' do + let(:scopes) { 'write:mutes' } let(:other_account) { Fabricate(:user, email: 'bob@example.com', account: Fabricate(:account, username: 'bob')).account } before do @@ -166,9 +200,12 @@ RSpec.describe Api::V1::AccountsController, type: :controller do it 'does not mute notifications' do expect(user.account.muting_notifications?(other_account)).to be false end + + it_behaves_like 'forbidden for wrong scope', 'read:accounts' end describe 'POST #unmute' do + let(:scopes) { 'write:mutes' } let(:other_account) { Fabricate(:user, email: 'bob@example.com', account: Fabricate(:account, username: 'bob')).account } before do @@ -183,5 +220,7 @@ RSpec.describe Api::V1::AccountsController, type: :controller do it 'removes the muting relation between user and target user' do expect(user.account.muting?(other_account)).to be false end + + it_behaves_like 'forbidden for wrong scope', 'read:accounts' end end diff --git a/spec/controllers/api/v1/blocks_controller_spec.rb b/spec/controllers/api/v1/blocks_controller_spec.rb index eff5fb9da..818f76c92 100644 --- a/spec/controllers/api/v1/blocks_controller_spec.rb +++ b/spec/controllers/api/v1/blocks_controller_spec.rb @@ -3,8 +3,9 @@ require 'rails_helper' RSpec.describe Api::V1::BlocksController, type: :controller do render_views - let(:user) { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } - let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'follow') } + let(:user) { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } + let(:scopes) { 'read:blocks' } + let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: scopes) } before { allow(controller).to receive(:doorkeeper_token) { token } } @@ -49,5 +50,14 @@ RSpec.describe Api::V1::BlocksController, type: :controller do get :index expect(response).to have_http_status(200) end + + context 'with wrong scopes' do + let(:scopes) { 'write:blocks' } + + it 'returns http forbidden' do + get :index + expect(response).to have_http_status(403) + end + end end end diff --git a/spec/controllers/api/v1/domain_blocks_controller_spec.rb b/spec/controllers/api/v1/domain_blocks_controller_spec.rb index bae4612a2..6a7a35c7a 100644 --- a/spec/controllers/api/v1/domain_blocks_controller_spec.rb +++ b/spec/controllers/api/v1/domain_blocks_controller_spec.rb @@ -4,14 +4,24 @@ RSpec.describe Api::V1::DomainBlocksController, type: :controller do render_views let(:user) { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } - let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'follow') } + let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: scopes) } before do user.account.block_domain!('example.com') allow(controller).to receive(:doorkeeper_token) { token } end + shared_examples 'forbidden for wrong scope' do |wrong_scope| + let(:scopes) { wrong_scope } + + it 'returns http forbidden' do + expect(response).to have_http_status(403) + end + end + describe 'GET #show' do + let(:scopes) { 'read:blocks' } + before do get :show, params: { limit: 1 } end @@ -23,9 +33,13 @@ RSpec.describe Api::V1::DomainBlocksController, type: :controller do it 'returns blocked domains' do expect(body_as_json.first).to eq 'example.com' end + + it_behaves_like 'forbidden for wrong scope', 'write:statuses' end describe 'POST #create' do + let(:scopes) { 'write:blocks' } + before do post :create, params: { domain: 'example.org' } end @@ -37,9 +51,13 @@ RSpec.describe Api::V1::DomainBlocksController, type: :controller do it 'creates a domain block' do expect(user.account.domain_blocking?('example.org')).to be true end + + it_behaves_like 'forbidden for wrong scope', 'write:statuses' end describe 'DELETE #destroy' do + let(:scopes) { 'write:blocks' } + before do delete :destroy, params: { domain: 'example.com' } end @@ -51,5 +69,7 @@ RSpec.describe Api::V1::DomainBlocksController, type: :controller do it 'deletes a domain block' do expect(user.account.domain_blocking?('example.com')).to be false end + + it_behaves_like 'forbidden for wrong scope', 'write:statuses' end end diff --git a/spec/controllers/api/v1/favourites_controller_spec.rb b/spec/controllers/api/v1/favourites_controller_spec.rb index 46cf70f4d..2bdf927f2 100644 --- a/spec/controllers/api/v1/favourites_controller_spec.rb +++ b/spec/controllers/api/v1/favourites_controller_spec.rb @@ -45,7 +45,7 @@ RSpec.describe Api::V1::FavouritesController, type: :controller do context 'with read scope and valid resource owner' do before do allow(controller).to receive(:doorkeeper_token) do - Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read') + Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read:favourites') end end diff --git a/spec/controllers/api/v1/filter_controller_spec.rb b/spec/controllers/api/v1/filter_controller_spec.rb index 3ffd8f784..5948809e3 100644 --- a/spec/controllers/api/v1/filter_controller_spec.rb +++ b/spec/controllers/api/v1/filter_controller_spec.rb @@ -4,13 +4,14 @@ RSpec.describe Api::V1::FiltersController, type: :controller do render_views let(:user) { Fabricate(:user) } - let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read write') } + let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: scopes) } before do allow(controller).to receive(:doorkeeper_token) { token } end describe 'GET #index' do + let(:scopes) { 'read:filters' } let!(:filter) { Fabricate(:custom_filter, account: user.account) } it 'returns http success' do @@ -20,6 +21,8 @@ RSpec.describe Api::V1::FiltersController, type: :controller do end describe 'POST #create' do + let(:scopes) { 'write:filters' } + before do post :create, params: { phrase: 'magic', context: %w(home), irreversible: true } end @@ -39,6 +42,7 @@ RSpec.describe Api::V1::FiltersController, type: :controller do end describe 'GET #show' do + let(:scopes) { 'read:filters' } let(:filter) { Fabricate(:custom_filter, account: user.account) } it 'returns http success' do @@ -48,6 +52,7 @@ RSpec.describe Api::V1::FiltersController, type: :controller do end describe 'PUT #update' do + let(:scopes) { 'write:filters' } let(:filter) { Fabricate(:custom_filter, account: user.account) } before do @@ -64,6 +69,7 @@ RSpec.describe Api::V1::FiltersController, type: :controller do end describe 'DELETE #destroy' do + let(:scopes) { 'write:filters' } let(:filter) { Fabricate(:custom_filter, account: user.account) } before do diff --git a/spec/controllers/api/v1/follow_requests_controller_spec.rb b/spec/controllers/api/v1/follow_requests_controller_spec.rb index 3c0b84af8..87292d9ce 100644 --- a/spec/controllers/api/v1/follow_requests_controller_spec.rb +++ b/spec/controllers/api/v1/follow_requests_controller_spec.rb @@ -4,7 +4,7 @@ RSpec.describe Api::V1::FollowRequestsController, type: :controller do render_views let(:user) { Fabricate(:user, account: Fabricate(:account, username: 'alice', locked: true)) } - let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'follow') } + let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: scopes) } let(:follower) { Fabricate(:account, username: 'bob') } before do @@ -13,6 +13,8 @@ RSpec.describe Api::V1::FollowRequestsController, type: :controller do end describe 'GET #index' do + let(:scopes) { 'read:follows' } + before do get :index, params: { limit: 1 } end @@ -23,6 +25,8 @@ RSpec.describe Api::V1::FollowRequestsController, type: :controller do end describe 'POST #authorize' do + let(:scopes) { 'write:follows' } + before do post :authorize, params: { id: follower.id } end @@ -37,6 +41,8 @@ RSpec.describe Api::V1::FollowRequestsController, type: :controller do end describe 'POST #reject' do + let(:scopes) { 'write:follows' } + before do post :reject, params: { id: follower.id } end diff --git a/spec/controllers/api/v1/follows_controller_spec.rb b/spec/controllers/api/v1/follows_controller_spec.rb index 38badb80a..089e0fe5e 100644 --- a/spec/controllers/api/v1/follows_controller_spec.rb +++ b/spec/controllers/api/v1/follows_controller_spec.rb @@ -4,7 +4,7 @@ RSpec.describe Api::V1::FollowsController, type: :controller do render_views let(:user) { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } - let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'follow') } + let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'write:follows') } before do allow(controller).to receive(:doorkeeper_token) { token } diff --git a/spec/controllers/api/v1/lists/accounts_controller_spec.rb b/spec/controllers/api/v1/lists/accounts_controller_spec.rb index c37a481d6..08c22de56 100644 --- a/spec/controllers/api/v1/lists/accounts_controller_spec.rb +++ b/spec/controllers/api/v1/lists/accounts_controller_spec.rb @@ -4,7 +4,7 @@ describe Api::V1::Lists::AccountsController do render_views let(:user) { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } - let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read write') } + let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: scopes) } let(:list) { Fabricate(:list, account: user.account) } before do @@ -14,6 +14,8 @@ describe Api::V1::Lists::AccountsController do end describe 'GET #index' do + let(:scopes) { 'read:lists' } + it 'returns http success' do get :show, params: { list_id: list.id } @@ -22,6 +24,7 @@ describe Api::V1::Lists::AccountsController do end describe 'POST #create' do + let(:scopes) { 'write:lists' } let(:bob) { Fabricate(:account, username: 'bob') } before do @@ -39,6 +42,8 @@ describe Api::V1::Lists::AccountsController do end describe 'DELETE #destroy' do + let(:scopes) { 'write:lists' } + before do delete :destroy, params: { list_id: list.id, account_ids: [list.accounts.first.id] } end diff --git a/spec/controllers/api/v1/lists_controller_spec.rb b/spec/controllers/api/v1/lists_controller_spec.rb index 213429581..e92213789 100644 --- a/spec/controllers/api/v1/lists_controller_spec.rb +++ b/spec/controllers/api/v1/lists_controller_spec.rb @@ -4,12 +4,14 @@ RSpec.describe Api::V1::ListsController, type: :controller do render_views let!(:user) { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } - let!(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read write') } + let!(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: scopes) } let!(:list) { Fabricate(:list, account: user.account) } before { allow(controller).to receive(:doorkeeper_token) { token } } describe 'GET #index' do + let(:scopes) { 'read:lists' } + it 'returns http success' do get :index expect(response).to have_http_status(200) @@ -17,6 +19,8 @@ RSpec.describe Api::V1::ListsController, type: :controller do end describe 'GET #show' do + let(:scopes) { 'read:lists' } + it 'returns http success' do get :show, params: { id: list.id } expect(response).to have_http_status(200) @@ -24,6 +28,8 @@ RSpec.describe Api::V1::ListsController, type: :controller do end describe 'POST #create' do + let(:scopes) { 'write:lists' } + before do post :create, params: { title: 'Foo bar' } end @@ -39,6 +45,8 @@ RSpec.describe Api::V1::ListsController, type: :controller do end describe 'PUT #update' do + let(:scopes) { 'write:lists' } + before do put :update, params: { id: list.id, title: 'Updated title' } end @@ -53,6 +61,8 @@ RSpec.describe Api::V1::ListsController, type: :controller do end describe 'DELETE #destroy' do + let(:scopes) { 'write:lists' } + before do delete :destroy, params: { id: list.id } end diff --git a/spec/controllers/api/v1/media_controller_spec.rb b/spec/controllers/api/v1/media_controller_spec.rb index ce260eb90..f01fcd942 100644 --- a/spec/controllers/api/v1/media_controller_spec.rb +++ b/spec/controllers/api/v1/media_controller_spec.rb @@ -4,7 +4,7 @@ RSpec.describe Api::V1::MediaController, type: :controller do render_views let(:user) { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } - let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'write') } + let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'write:media') } before do allow(controller).to receive(:doorkeeper_token) { token } diff --git a/spec/controllers/api/v1/mutes_controller_spec.rb b/spec/controllers/api/v1/mutes_controller_spec.rb index dc4a9753a..f9603b7ff 100644 --- a/spec/controllers/api/v1/mutes_controller_spec.rb +++ b/spec/controllers/api/v1/mutes_controller_spec.rb @@ -4,7 +4,7 @@ RSpec.describe Api::V1::MutesController, type: :controller do render_views let(:user) { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } - let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'follow') } + let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read:mutes') } before do Fabricate(:mute, account: user.account, hide_notifications: false) diff --git a/spec/controllers/api/v1/notifications_controller_spec.rb b/spec/controllers/api/v1/notifications_controller_spec.rb index 2e6163fcd..9f679cb8a 100644 --- a/spec/controllers/api/v1/notifications_controller_spec.rb +++ b/spec/controllers/api/v1/notifications_controller_spec.rb @@ -4,7 +4,7 @@ RSpec.describe Api::V1::NotificationsController, type: :controller do render_views let(:user) { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } - let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read') } + let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: scopes) } let(:other) { Fabricate(:user, account: Fabricate(:account, username: 'bob')) } before do @@ -12,6 +12,8 @@ RSpec.describe Api::V1::NotificationsController, type: :controller do end describe 'GET #show' do + let(:scopes) { 'read:notifications' } + it 'returns http success' do notification = Fabricate(:notification, account: user.account) get :show, params: { id: notification.id } @@ -21,6 +23,8 @@ RSpec.describe Api::V1::NotificationsController, type: :controller do end describe 'POST #dismiss' do + let(:scopes) { 'write:notifications' } + it 'destroys the notification' do notification = Fabricate(:notification, account: user.account) post :dismiss, params: { id: notification.id } @@ -31,6 +35,8 @@ RSpec.describe Api::V1::NotificationsController, type: :controller do end describe 'POST #clear' do + let(:scopes) { 'write:notifications' } + it 'clears notifications for the account' do notification = Fabricate(:notification, account: user.account) post :clear @@ -41,6 +47,8 @@ RSpec.describe Api::V1::NotificationsController, type: :controller do end describe 'GET #index' do + let(:scopes) { 'read:notifications' } + before do first_status = PostStatusService.new.call(user.account, 'Test') @reblog_of_first_status = ReblogService.new.call(other.account, first_status) diff --git a/spec/controllers/api/v1/reports_controller_spec.rb b/spec/controllers/api/v1/reports_controller_spec.rb index 1e1ef9308..ac93998c6 100644 --- a/spec/controllers/api/v1/reports_controller_spec.rb +++ b/spec/controllers/api/v1/reports_controller_spec.rb @@ -6,13 +6,15 @@ RSpec.describe Api::V1::ReportsController, type: :controller do render_views let(:user) { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } - let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read write') } + let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: scopes) } before do allow(controller).to receive(:doorkeeper_token) { token } end describe 'GET #index' do + let(:scopes) { 'read:reports' } + it 'returns http success' do get :index @@ -21,6 +23,7 @@ RSpec.describe Api::V1::ReportsController, type: :controller do end describe 'POST #create' do + let(:scopes) { 'write:reports' } let!(:status) { Fabricate(:status) } let!(:admin) { Fabricate(:user, admin: true) } diff --git a/spec/controllers/api/v1/search_controller_spec.rb b/spec/controllers/api/v1/search_controller_spec.rb index 024703867..c9e544cc7 100644 --- a/spec/controllers/api/v1/search_controller_spec.rb +++ b/spec/controllers/api/v1/search_controller_spec.rb @@ -6,7 +6,7 @@ RSpec.describe Api::V1::SearchController, type: :controller do render_views let(:user) { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } - let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read') } + let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read:search') } before do allow(controller).to receive(:doorkeeper_token) { token } diff --git a/spec/controllers/api/v1/statuses/favourited_by_accounts_controller_spec.rb b/spec/controllers/api/v1/statuses/favourited_by_accounts_controller_spec.rb index c873e05dd..23b5d7de9 100644 --- a/spec/controllers/api/v1/statuses/favourited_by_accounts_controller_spec.rb +++ b/spec/controllers/api/v1/statuses/favourited_by_accounts_controller_spec.rb @@ -5,7 +5,7 @@ RSpec.describe Api::V1::Statuses::FavouritedByAccountsController, type: :control let(:user) { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } let(:app) { Fabricate(:application, name: 'Test app', website: 'http://testapp.com') } - let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, application: app) } + let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, application: app, scopes: 'read:accounts') } context 'with an oauth token' do before do diff --git a/spec/controllers/api/v1/statuses/favourites_controller_spec.rb b/spec/controllers/api/v1/statuses/favourites_controller_spec.rb index 53f602616..24a760e20 100644 --- a/spec/controllers/api/v1/statuses/favourites_controller_spec.rb +++ b/spec/controllers/api/v1/statuses/favourites_controller_spec.rb @@ -7,7 +7,7 @@ describe Api::V1::Statuses::FavouritesController do let(:user) { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } let(:app) { Fabricate(:application, name: 'Test app', website: 'http://testapp.com') } - let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'write', application: app) } + let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'write:favourites', application: app) } context 'with an oauth token' do before do diff --git a/spec/controllers/api/v1/statuses/mutes_controller_spec.rb b/spec/controllers/api/v1/statuses/mutes_controller_spec.rb index 13b4625d1..966398580 100644 --- a/spec/controllers/api/v1/statuses/mutes_controller_spec.rb +++ b/spec/controllers/api/v1/statuses/mutes_controller_spec.rb @@ -7,7 +7,7 @@ describe Api::V1::Statuses::MutesController do let(:user) { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } let(:app) { Fabricate(:application, name: 'Test app', website: 'http://testapp.com') } - let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'write', application: app) } + let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'write:mutes', application: app) } context 'with an oauth token' do before do diff --git a/spec/controllers/api/v1/statuses/pins_controller_spec.rb b/spec/controllers/api/v1/statuses/pins_controller_spec.rb index 8f5b0800b..13405d285 100644 --- a/spec/controllers/api/v1/statuses/pins_controller_spec.rb +++ b/spec/controllers/api/v1/statuses/pins_controller_spec.rb @@ -7,7 +7,7 @@ describe Api::V1::Statuses::PinsController do let(:user) { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } let(:app) { Fabricate(:application, name: 'Test app', website: 'http://testapp.com') } - let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'write', application: app) } + let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'write:accounts', application: app) } context 'with an oauth token' do before do diff --git a/spec/controllers/api/v1/statuses/reblogged_by_accounts_controller_spec.rb b/spec/controllers/api/v1/statuses/reblogged_by_accounts_controller_spec.rb index 9c0c2b60c..d758786dc 100644 --- a/spec/controllers/api/v1/statuses/reblogged_by_accounts_controller_spec.rb +++ b/spec/controllers/api/v1/statuses/reblogged_by_accounts_controller_spec.rb @@ -5,7 +5,7 @@ RSpec.describe Api::V1::Statuses::RebloggedByAccountsController, type: :controll let(:user) { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } let(:app) { Fabricate(:application, name: 'Test app', website: 'http://testapp.com') } - let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, application: app) } + let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, application: app, scopes: 'read:accounts') } context 'with an oauth token' do before do diff --git a/spec/controllers/api/v1/statuses/reblogs_controller_spec.rb b/spec/controllers/api/v1/statuses/reblogs_controller_spec.rb index e60f8da2a..d14ca3e8b 100644 --- a/spec/controllers/api/v1/statuses/reblogs_controller_spec.rb +++ b/spec/controllers/api/v1/statuses/reblogs_controller_spec.rb @@ -7,7 +7,7 @@ describe Api::V1::Statuses::ReblogsController do let(:user) { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } let(:app) { Fabricate(:application, name: 'Test app', website: 'http://testapp.com') } - let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'write', application: app) } + let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'write:statuses', application: app) } context 'with an oauth token' do before do diff --git a/spec/controllers/api/v1/statuses_controller_spec.rb b/spec/controllers/api/v1/statuses_controller_spec.rb index 27e4f4eb2..8bc3b0c67 100644 --- a/spec/controllers/api/v1/statuses_controller_spec.rb +++ b/spec/controllers/api/v1/statuses_controller_spec.rb @@ -5,7 +5,7 @@ RSpec.describe Api::V1::StatusesController, type: :controller do let(:user) { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } let(:app) { Fabricate(:application, name: 'Test app', website: 'http://testapp.com') } - let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, application: app, scopes: 'write') } + let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, application: app, scopes: scopes) } context 'with an oauth token' do before do @@ -13,6 +13,7 @@ RSpec.describe Api::V1::StatusesController, type: :controller do end describe 'GET #show' do + let(:scopes) { 'read:statuses' } let(:status) { Fabricate(:status, account: user.account) } it 'returns http success' do @@ -22,6 +23,7 @@ RSpec.describe Api::V1::StatusesController, type: :controller do end describe 'GET #context' do + let(:scopes) { 'read:statuses' } let(:status) { Fabricate(:status, account: user.account) } before do @@ -35,6 +37,8 @@ RSpec.describe Api::V1::StatusesController, type: :controller do end describe 'POST #create' do + let(:scopes) { 'write:statuses' } + before do post :create, params: { status: 'Hello world' } end @@ -45,6 +49,7 @@ RSpec.describe Api::V1::StatusesController, type: :controller do end describe 'DELETE #destroy' do + let(:scopes) { 'write:statuses' } let(:status) { Fabricate(:status, account: user.account) } before do diff --git a/spec/controllers/api/v1/timelines/home_controller_spec.rb b/spec/controllers/api/v1/timelines/home_controller_spec.rb index 85b031641..a667c33fa 100644 --- a/spec/controllers/api/v1/timelines/home_controller_spec.rb +++ b/spec/controllers/api/v1/timelines/home_controller_spec.rb @@ -12,7 +12,7 @@ describe Api::V1::Timelines::HomeController do end context 'with a user context' do - let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read') } + let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read:statuses') } describe 'GET #show' do before do diff --git a/spec/controllers/api/v1/timelines/list_controller_spec.rb b/spec/controllers/api/v1/timelines/list_controller_spec.rb index 1729217c9..93a2be6e6 100644 --- a/spec/controllers/api/v1/timelines/list_controller_spec.rb +++ b/spec/controllers/api/v1/timelines/list_controller_spec.rb @@ -13,7 +13,7 @@ describe Api::V1::Timelines::ListController do end context 'with a user context' do - let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read') } + let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read:lists') } describe 'GET #show' do before do diff --git a/spec/controllers/api/v2/search_controller_spec.rb b/spec/controllers/api/v2/search_controller_spec.rb new file mode 100644 index 000000000..8ee8753de --- /dev/null +++ b/spec/controllers/api/v2/search_controller_spec.rb @@ -0,0 +1,22 @@ +# frozen_string_literal: true + +require 'rails_helper' + +RSpec.describe Api::V2::SearchController, type: :controller do + render_views + + let(:user) { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } + let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read:search') } + + before do + allow(controller).to receive(:doorkeeper_token) { token } + end + + describe 'GET #index' do + it 'returns http success' do + get :index, params: { q: 'test' } + + expect(response).to have_http_status(200) + end + end +end -- cgit