Merge branch 'develop' into notifications-from-account

test/conversation/participation_test.exs

@@ -125,9 +125,10 @@ defmodule Pleroma.Conversation.ParticipationTest do
 
   test "it marks a participation as read" do
     participation = insert(:participation, %{read: false})
-    {:ok, participation} = Participation.mark_as_read(participation)
+    {:ok, updated_participation} = Participation.mark_as_read(participation)
 
-    assert participation.read
+    assert updated_participation.read
+    assert updated_participation.updated_at == participation.updated_at
   end
 
   test "it marks a participation as unread" do

test/fixtures/modules/runtime_module.ex

@@ -0,0 +1,9 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule RuntimeModule do
+  @moduledoc """
+  This is a dummy module to test custom runtime modules.
+  """
+end

test/fixtures/tesla_mock/mobilizon.org-event.json

@@ -0,0 +1 @@
+{"@context":["https://www.w3.org/ns/activitystreams","https://litepub.social/litepub/context.jsonld",{"GeoCoordinates":"sc:GeoCoordinates","Hashtag":"as:Hashtag","Place":"sc:Place","PostalAddress":"sc:PostalAddress","address":{"@id":"sc:address","@type":"sc:PostalAddress"},"addressCountry":"sc:addressCountry","addressLocality":"sc:addressLocality","addressRegion":"sc:addressRegion","category":"sc:category","commentsEnabled":{"@id":"pt:commentsEnabled","@type":"sc:Boolean"},"geo":{"@id":"sc:geo","@type":"sc:GeoCoordinates"},"ical":"http://www.w3.org/2002/12/cal/ical#","joinMode":{"@id":"mz:joinMode","@type":"mz:joinModeType"},"joinModeType":{"@id":"mz:joinModeType","@type":"rdfs:Class"},"location":{"@id":"sc:location","@type":"sc:Place"},"maximumAttendeeCapacity":"sc:maximumAttendeeCapacity","mz":"https://joinmobilizon.org/ns#","postalCode":"sc:postalCode","pt":"https://joinpeertube.org/ns#","repliesModerationOption":{"@id":"mz:repliesModerationOption","@type":"mz:repliesModerationOptionType"},"repliesModerationOptionType":{"@id":"mz:repliesModerationOptionType","@type":"rdfs:Class"},"sc":"http://schema.org#","streetAddress":"sc:streetAddress","uuid":"sc:identifier"}],"actor":"https://mobilizon.org/@tcit","attributedTo":"https://mobilizon.org/@tcit","category":"meeting","cc":[],"commentsEnabled":true,"content":"<p>Mobilizon is now federated! 🎉</p><p></p><p>You can view this event from other instances if they are subscribed to mobilizon.org, and soon directly from Mastodon and Pleroma. It is possible that you may see some comments from other instances, including Mastodon ones, just below.</p><p></p><p>With a Mobilizon account on an instance, you may <strong>participate</strong> at events from other instances and <strong>add comments</strong> on events.</p><p></p><p>Of course, it's still <u>a work in progress</u>: if reports made from an instance on events and comments can be federated, you can't block people right now, and moderators actions are rather limited, but this <strong>will definitely get fixed over time</strong> until first stable version next year.</p><p></p><p>Anyway, if you want to come up with some feedback, head over to our forum or - if you feel you have technical skills and are familiar with it - on our Gitlab repository.</p><p></p><p>Also, to people that want to set Mobilizon themselves even though we really don't advise to do that for now, we have a little documentation but it's quite the early days and you'll probably need some help. No worries, you can chat with us on our Forum or though our Matrix channel.</p><p></p><p>Check our website for more informations and follow us on Twitter or Mastodon.</p>","endTime":"2019-12-18T14:00:00Z","ical:status":"CONFIRMED","id":"https://mobilizon.org/events/252d5816-00a3-4a89-a66f-15bf65c33e39","joinMode":"free","location":{"address":{"addressCountry":"France","addressLocality":"Nantes","addressRegion":"Pays de la Loire","postalCode":null,"streetAddress":" ","type":"PostalAddress"},"geo":{"latitude":-1.54939699141711,"longitude":47.21617415,"type":"GeoCoordinates"},"id":"https://mobilizon.org/address/1368fdab-1e2c-4de6-bcff-a90c84abdee1","name":"Cour du Château des Ducs de Bretagne","type":"Place"},"maximumAttendeeCapacity":0,"mediaType":"text/html","name":"Mobilizon Launching Party","published":"2019-12-17T11:33:56Z","repliesModerationOption":"allow_all","startTime":"2019-12-18T13:00:00Z","tag":[{"href":"https://mobilizon.org/tags/mobilizon","name":"#Mobilizon","type":"Hashtag"},{"href":"https://mobilizon.org/tags/federation","name":"#Federation","type":"Hashtag"},{"href":"https://mobilizon.org/tags/activitypub","name":"#ActivityPub","type":"Hashtag"},{"href":"https://mobilizon.org/tags/party","name":"#Party","type":"Hashtag"}],"to":["https://www.w3.org/ns/activitystreams#Public"],"type":"Event","updated":"2019-12-17T12:25:01Z","url":"https://mobilizon.org/events/252d5816-00a3-4a89-a66f-15bf65c33e39","uuid":"252d5816-00a3-4a89-a66f-15bf65c33e39"}

test/fixtures/tesla_mock/mobilizon.org-user.json

@@ -0,0 +1 @@
+{"@context":["https://www.w3.org/ns/activitystreams","https://litepub.social/litepub/context.jsonld",{"GeoCoordinates":"sc:GeoCoordinates","Hashtag":"as:Hashtag","Place":"sc:Place","PostalAddress":"sc:PostalAddress","address":{"@id":"sc:address","@type":"sc:PostalAddress"},"addressCountry":"sc:addressCountry","addressLocality":"sc:addressLocality","addressRegion":"sc:addressRegion","category":"sc:category","commentsEnabled":{"@id":"pt:commentsEnabled","@type":"sc:Boolean"},"geo":{"@id":"sc:geo","@type":"sc:GeoCoordinates"},"ical":"http://www.w3.org/2002/12/cal/ical#","joinMode":{"@id":"mz:joinMode","@type":"mz:joinModeType"},"joinModeType":{"@id":"mz:joinModeType","@type":"rdfs:Class"},"location":{"@id":"sc:location","@type":"sc:Place"},"maximumAttendeeCapacity":"sc:maximumAttendeeCapacity","mz":"https://joinmobilizon.org/ns#","postalCode":"sc:postalCode","pt":"https://joinpeertube.org/ns#","repliesModerationOption":{"@id":"mz:repliesModerationOption","@type":"mz:repliesModerationOptionType"},"repliesModerationOptionType":{"@id":"mz:repliesModerationOptionType","@type":"rdfs:Class"},"sc":"http://schema.org#","streetAddress":"sc:streetAddress","uuid":"sc:identifier"}],"endpoints":{"sharedInbox":"https://mobilizon.org/inbox"},"followers":"https://mobilizon.org/@tcit/followers","following":"https://mobilizon.org/@tcit/following","icon":{"mediaType":null,"type":"Image","url":"https://mobilizon.org/media/3a5f18c058a8193b1febfaf561f94ae8b91f85ac64c01ddf5ad7b251fb43baf5.jpg?name=profil.jpg"},"id":"https://mobilizon.org/@tcit","inbox":"https://mobilizon.org/@tcit/inbox","manuallyApprovesFollowers":false,"name":"Thomas Citharel","outbox":"https://mobilizon.org/@tcit/outbox","preferredUsername":"tcit","publicKey":{"id":"https://mobilizon.org/@tcit#main-key","owner":"https://mobilizon.org/@tcit","publicKeyPem":"-----BEGIN RSA PUBLIC KEY-----\nMIIBCgKCAQEAtzuZFviv5f12SuA0wZFMuwKS8RIlT3IjPCMLRDhiorZeV3UJ1lik\nDYO6mEh22KDXYgJtNVSYGF0Q5LJivgcvuvU+VQ048iTB1B2x0rHMr47KPByPjfVb\nKDeHt6fkHcLY0JK8UkIxW542wXAg4jX5w3gJi3pgTQrCT8VNyPbH1CaA0uW//9jc\nqzZQVFzpfdJoVOM9E3Urc/u58HC4xOptlM7+B/594ZI9drYwy5m+ZxHwlQUYCva4\n34dvwsfOGxkQyIrzXoep80EnWnFpYCLMcCiz+sEhPYxqLgNE+Cmn/6pv7SIscz6p\neVlQXIchdw+J4yl07paJDkFc6CNTCmaIHQIDAQAB\n-----END RSA PUBLIC KEY-----\n\n"},"summary":"Main profile","type":"Person","url":"https://mobilizon.org/@tcit"}

test/notification_test.exs

@@ -98,7 +98,7 @@ defmodule Pleroma.NotificationTest do
       assert Notification.create_notification(activity, user)
     end
 
-    test "it creates a notificatin for the user if the user mutes the activity author" do
+    test "it creates a notification for the user if the user mutes the activity author" do
       muter = insert(:user)
       muted = insert(:user)
       {:ok, _} = User.mute(muter, muted)

test/object/fetcher_test.exs

@@ -77,6 +77,15 @@ defmodule Pleroma.Object.FetcherTest do
       assert object
     end
 
+    test "it can fetch Mobilizon events" do
+      {:ok, object} =
+        Fetcher.fetch_object_from_id(
+          "https://mobilizon.org/events/252d5816-00a3-4a89-a66f-15bf65c33e39"
+        )
+
+      assert object
+    end
+
     test "it can fetch wedistribute articles" do
       {:ok, object} =
         Fetcher.fetch_object_from_id("https://wedistribute.org/wp-json/pterotype/v1/object/85810")

test/object_test.exs

@@ -71,6 +71,74 @@ defmodule Pleroma.ObjectTest do
     end
   end
 
+  describe "delete attachments" do
+    clear_config([Pleroma.Upload])
+
+    test "in subdirectories" do
+      Pleroma.Config.put([Pleroma.Upload, :uploader], Pleroma.Uploaders.Local)
+
+      file = %Plug.Upload{
+        content_type: "image/jpg",
+        path: Path.absname("test/fixtures/image.jpg"),
+        filename: "an_image.jpg"
+      }
+
+      user = insert(:user)
+
+      {:ok, %Object{} = attachment} =
+        Pleroma.Web.ActivityPub.ActivityPub.upload(file, actor: user.ap_id)
+
+      %{data: %{"attachment" => [%{"url" => [%{"href" => href}]}]}} =
+        note = insert(:note, %{user: user, data: %{"attachment" => [attachment.data]}})
+
+      uploads_dir = Pleroma.Config.get!([Pleroma.Uploaders.Local, :uploads])
+
+      path = href |> Path.dirname() |> Path.basename()
+
+      assert {:ok, ["an_image.jpg"]} == File.ls("#{uploads_dir}/#{path}")
+
+      Object.delete(note)
+
+      assert Object.get_by_id(attachment.id) == nil
+
+      assert {:ok, []} == File.ls("#{uploads_dir}/#{path}")
+    end
+
+    test "with dedupe enabled" do
+      Pleroma.Config.put([Pleroma.Upload, :uploader], Pleroma.Uploaders.Local)
+      Pleroma.Config.put([Pleroma.Upload, :filters], [Pleroma.Upload.Filter.Dedupe])
+
+      uploads_dir = Pleroma.Config.get!([Pleroma.Uploaders.Local, :uploads])
+
+      File.mkdir_p!(uploads_dir)
+
+      file = %Plug.Upload{
+        content_type: "image/jpg",
+        path: Path.absname("test/fixtures/image.jpg"),
+        filename: "an_image.jpg"
+      }
+
+      user = insert(:user)
+
+      {:ok, %Object{} = attachment} =
+        Pleroma.Web.ActivityPub.ActivityPub.upload(file, actor: user.ap_id)
+
+      %{data: %{"attachment" => [%{"url" => [%{"href" => href}]}]}} =
+        note = insert(:note, %{user: user, data: %{"attachment" => [attachment.data]}})
+
+      filename = Path.basename(href)
+
+      assert {:ok, files} = File.ls(uploads_dir)
+      assert filename in files
+
+      Object.delete(note)
+
+      assert Object.get_by_id(attachment.id) == nil
+      assert {:ok, files} = File.ls(uploads_dir)
+      refute filename in files
+    end
+  end
+
   describe "normalizer" do
     test "fetches unknown objects by default" do
       %Object{} =

test/plugs/oauth_scopes_plug_test.exs

@@ -16,34 +16,6 @@ defmodule Pleroma.Plugs.OAuthScopesPlugTest do
     :ok
   end
 
-  describe "when `assigns[:token]` is nil, " do
-    test "with :skip_instance_privacy_check option, proceeds with no op", %{conn: conn} do
-      conn =
-        conn
-        |> assign(:user, insert(:user))
-        |> OAuthScopesPlug.call(%{scopes: ["read"], skip_instance_privacy_check: true})
-
-      refute conn.halted
-      assert conn.assigns[:user]
-
-      refute called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
-    end
-
-    test "without :skip_instance_privacy_check option, calls EnsurePublicOrAuthenticatedPlug", %{
-      conn: conn
-    } do
-      conn =
-        conn
-        |> assign(:user, insert(:user))
-        |> OAuthScopesPlug.call(%{scopes: ["read"]})
-
-      refute conn.halted
-      assert conn.assigns[:user]
-
-      assert called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
-    end
-  end
-
   test "if `token.scopes` fulfills specified 'any of' conditions, " <>
          "proceeds with no op",
        %{conn: conn} do
@@ -75,64 +47,56 @@ defmodule Pleroma.Plugs.OAuthScopesPlugTest do
   end
 
   describe "with `fallback: :proceed_unauthenticated` option, " do
-    test "if `token.scopes` doesn't fulfill specified 'any of' conditions, " <>
-           "clears `assigns[:user]` and calls EnsurePublicOrAuthenticatedPlug",
+    test "if `token.scopes` doesn't fulfill specified conditions, " <>
+           "clears :user and :token assigns and calls EnsurePublicOrAuthenticatedPlug",
          %{conn: conn} do
-      token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
+      user = insert(:user)
+      token1 = insert(:oauth_token, scopes: ["read", "write"], user: user)
 
-      conn =
-        conn
-        |> assign(:user, token.user)
-        |> assign(:token, token)
-        |> OAuthScopesPlug.call(%{scopes: ["follow"], fallback: :proceed_unauthenticated})
+      for token <- [token1, nil], op <- [:|, :&] do
+        ret_conn =
+          conn
+          |> assign(:user, user)
+          |> assign(:token, token)
+          |> OAuthScopesPlug.call(%{
+            scopes: ["follow"],
+            op: op,
+            fallback: :proceed_unauthenticated
+          })
 
-      refute conn.halted
-      refute conn.assigns[:user]
+        refute ret_conn.halted
+        refute ret_conn.assigns[:user]
+        refute ret_conn.assigns[:token]
 
-      assert called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
-    end
-
-    test "if `token.scopes` doesn't fulfill specified 'all of' conditions, " <>
-           "clears `assigns[:user] and calls EnsurePublicOrAuthenticatedPlug",
-         %{conn: conn} do
-      token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
-
-      conn =
-        conn
-        |> assign(:user, token.user)
-        |> assign(:token, token)
-        |> OAuthScopesPlug.call(%{
-          scopes: ["read", "follow"],
-          op: :&,
-          fallback: :proceed_unauthenticated
-        })
-
-      refute conn.halted
-      refute conn.assigns[:user]
-
-      assert called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
+        assert called(EnsurePublicOrAuthenticatedPlug.call(ret_conn, :_))
+      end
     end
 
     test "with :skip_instance_privacy_check option, " <>
            "if `token.scopes` doesn't fulfill specified conditions, " <>
-           "clears `assigns[:user]` and does not call EnsurePublicOrAuthenticatedPlug",
+           "clears :user and :token assigns and does NOT call EnsurePublicOrAuthenticatedPlug",
          %{conn: conn} do
-      token = insert(:oauth_token, scopes: ["read:statuses", "write"]) |> Repo.preload(:user)
+      user = insert(:user)
+      token1 = insert(:oauth_token, scopes: ["read:statuses", "write"], user: user)
 
-      conn =
-        conn
-        |> assign(:user, token.user)
-        |> assign(:token, token)
-        |> OAuthScopesPlug.call(%{
-          scopes: ["read"],
-          fallback: :proceed_unauthenticated,
-          skip_instance_privacy_check: true
-        })
+      for token <- [token1, nil], op <- [:|, :&] do
+        ret_conn =
+          conn
+          |> assign(:user, user)
+          |> assign(:token, token)
+          |> OAuthScopesPlug.call(%{
+            scopes: ["read"],
+            op: op,
+            fallback: :proceed_unauthenticated,
+            skip_instance_privacy_check: true
+          })
 
-      refute conn.halted
-      refute conn.assigns[:user]
+        refute ret_conn.halted
+        refute ret_conn.assigns[:user]
+        refute ret_conn.assigns[:token]
 
-      refute called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
+        refute called(EnsurePublicOrAuthenticatedPlug.call(ret_conn, :_))
+      end
     end
   end
 
@@ -140,39 +104,42 @@ defmodule Pleroma.Plugs.OAuthScopesPlugTest do
     test "if `token.scopes` does not fulfill specified 'any of' conditions, " <>
            "returns 403 and halts",
          %{conn: conn} do
-      token = insert(:oauth_token, scopes: ["read", "write"])
-      any_of_scopes = ["follow"]
+      for token <- [insert(:oauth_token, scopes: ["read", "write"]), nil] do
+        any_of_scopes = ["follow", "push"]
 
-      conn =
-        conn
-        |> assign(:token, token)
-        |> OAuthScopesPlug.call(%{scopes: any_of_scopes})
+        ret_conn =
+          conn
+          |> assign(:token, token)
+          |> OAuthScopesPlug.call(%{scopes: any_of_scopes})
 
-      assert conn.halted
-      assert 403 == conn.status
+        assert ret_conn.halted
+        assert 403 == ret_conn.status
 
-      expected_error = "Insufficient permissions: #{Enum.join(any_of_scopes, ", ")}."
-      assert Jason.encode!(%{error: expected_error}) == conn.resp_body
+        expected_error = "Insufficient permissions: #{Enum.join(any_of_scopes, " | ")}."
+        assert Jason.encode!(%{error: expected_error}) == ret_conn.resp_body
+      end
     end
 
     test "if `token.scopes` does not fulfill specified 'all of' conditions, " <>
            "returns 403 and halts",
          %{conn: conn} do
-      token = insert(:oauth_token, scopes: ["read", "write"])
-      all_of_scopes = ["write", "follow"]
+      for token <- [insert(:oauth_token, scopes: ["read", "write"]), nil] do
+        token_scopes = (token && token.scopes) || []
+        all_of_scopes = ["write", "follow"]
 
-      conn =
-        conn
-        |> assign(:token, token)
-        |> OAuthScopesPlug.call(%{scopes: all_of_scopes, op: :&})
+        conn =
+          conn
+          |> assign(:token, token)
+          |> OAuthScopesPlug.call(%{scopes: all_of_scopes, op: :&})
 
-      assert conn.halted
-      assert 403 == conn.status
+        assert conn.halted
+        assert 403 == conn.status
 
-      expected_error =
-        "Insufficient permissions: #{Enum.join(all_of_scopes -- token.scopes, ", ")}."
+        expected_error =
+          "Insufficient permissions: #{Enum.join(all_of_scopes -- token_scopes, " & ")}."
 
-      assert Jason.encode!(%{error: expected_error}) == conn.resp_body
+        assert Jason.encode!(%{error: expected_error}) == conn.resp_body
+      end
     end
   end
 

test/runtime_test.exs

@@ -0,0 +1,11 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.RuntimeTest do
+  use ExUnit.Case, async: true
+
+  test "it loads custom runtime modules" do
+    assert Code.ensure_compiled?(RuntimeModule)
+  end
+end

test/support/conn_case.ex

@@ -28,6 +28,26 @@ defmodule Pleroma.Web.ConnCase do
 
       # The default endpoint for testing
       @endpoint Pleroma.Web.Endpoint
+
+      # Sets up OAuth access with specified scopes
+      defp oauth_access(scopes, opts \\ []) do
+        user =
+          Keyword.get_lazy(opts, :user, fn ->
+            Pleroma.Factory.insert(:user)
+          end)
+
+        token =
+          Keyword.get_lazy(opts, :oauth_token, fn ->
+            Pleroma.Factory.insert(:oauth_token, user: user, scopes: scopes)
+          end)
+
+        conn =
+          build_conn()
+          |> assign(:user, user)
+          |> assign(:token, token)
+
+        %{user: user, token: token, conn: conn}
+      end
     end
   end
 

test/support/factory.ex

@@ -296,7 +296,7 @@ defmodule Pleroma.Factory do
     %Pleroma.Web.OAuth.App{
       client_name: "Some client",
       redirect_uris: "https://example.com/callback",
-      scopes: ["read", "write", "follow", "push"],
+      scopes: ["read", "write", "follow", "push", "admin"],
       website: "https://example.com",
       client_id: Ecto.UUID.generate(),
       client_secret: "aaa;/&bbb"
@@ -310,19 +310,37 @@ defmodule Pleroma.Factory do
     }
   end
 
-  def oauth_token_factory do
-    oauth_app = insert(:oauth_app)
+  def oauth_token_factory(attrs \\ %{}) do
+    scopes = Map.get(attrs, :scopes, ["read"])
+    oauth_app = Map.get_lazy(attrs, :app, fn -> insert(:oauth_app, scopes: scopes) end)
+    user = Map.get_lazy(attrs, :user, fn -> build(:user) end)
+
+    valid_until =
+      Map.get(attrs, :valid_until, NaiveDateTime.add(NaiveDateTime.utc_now(), 60 * 10))
 
     %Pleroma.Web.OAuth.Token{
       token: :crypto.strong_rand_bytes(32) |> Base.url_encode64(),
-      scopes: ["read"],
       refresh_token: :crypto.strong_rand_bytes(32) |> Base.url_encode64(),
-      user: build(:user),
-      app_id: oauth_app.id,
-      valid_until: NaiveDateTime.add(NaiveDateTime.utc_now(), 60 * 10)
+      scopes: scopes,
+      user: user,
+      app: oauth_app,
+      valid_until: valid_until
     }
   end
 
+  def oauth_admin_token_factory(attrs \\ %{}) do
+    user = Map.get_lazy(attrs, :user, fn -> build(:user, is_admin: true) end)
+
+    scopes =
+      attrs
+      |> Map.get(:scopes, ["admin"])
+      |> Kernel.++(["admin"])
+      |> Enum.uniq()
+
+    attrs = Map.merge(attrs, %{user: user, scopes: scopes})
+    oauth_token_factory(attrs)
+  end
+
   def oauth_authorization_factory do
     %Pleroma.Web.OAuth.Authorization{
       token: :crypto.strong_rand_bytes(32) |> Base.url_encode64(padding: false),

test/support/http_request_mock.ex

@@ -308,6 +308,24 @@ defmodule HttpRequestMock do
      }}
   end
 
+  def get("https://mobilizon.org/events/252d5816-00a3-4a89-a66f-15bf65c33e39", _, _,
+        Accept: "application/activity+json"
+      ) do
+    {:ok,
+     %Tesla.Env{
+       status: 200,
+       body: File.read!("test/fixtures/tesla_mock/mobilizon.org-event.json")
+     }}
+  end
+
+  def get("https://mobilizon.org/@tcit", _, _, Accept: "application/activity+json") do
+    {:ok,
+     %Tesla.Env{
+       status: 200,
+       body: File.read!("test/fixtures/tesla_mock/mobilizon.org-user.json")
+     }}
+  end
+
   def get("https://baptiste.gelez.xyz/@/BaptisteGelez", _, _, _) do
     {:ok,
      %Tesla.Env{

test/uploaders/local_test.exs

@@ -29,4 +29,25 @@ defmodule Pleroma.Uploaders.LocalTest do
              |> File.exists?()
     end
   end
+
+  describe "delete_file/1" do
+    test "deletes local file" do
+      file_path = "local_upload/files/image.jpg"
+
+      file = %Pleroma.Upload{
+        name: "image.jpg",
+        content_type: "image/jpg",
+        path: file_path,
+        tempfile: Path.absname("test/fixtures/image_tmp.jpg")
+      }
+
+      :ok = Local.put_file(file)
+      local_path = Path.join([Local.upload_path(), file_path])
+      assert File.exists?(local_path)
+
+      Local.delete_file(file_path)
+
+      refute File.exists?(local_path)
+    end
+  end
 end

test/uploaders/mdii_test.exs

@@ -1,50 +0,0 @@
-# Pleroma: A lightweight social networking server
-# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
-# SPDX-License-Identifier: AGPL-3.0-only
-
-defmodule Pleroma.Uploaders.MDIITest do
-  use Pleroma.DataCase
-  alias Pleroma.Uploaders.MDII
-  import Tesla.Mock
-
-  describe "get_file/1" do
-    test "it returns path to local folder for files" do
-      assert MDII.get_file("") == {:ok, {:static_dir, "test/uploads"}}
-    end
-  end
-
-  describe "put_file/1" do
-    setup do
-      file_upload = %Pleroma.Upload{
-        name: "mdii-image.jpg",
-        content_type: "image/jpg",
-        path: "test_folder/mdii-image.jpg",
-        tempfile: Path.absname("test/fixtures/image_tmp.jpg")
-      }
-
-      [file_upload: file_upload]
-    end
-
-    test "save file", %{file_upload: file_upload} do
-      mock(fn
-        %{method: :post, url: "https://mdii.sakura.ne.jp/mdii-post.cgi?jpg"} ->
-          %Tesla.Env{status: 200, body: "mdii-image"}
-      end)
-
-      assert MDII.put_file(file_upload) ==
-               {:ok, {:url, "https://mdii.sakura.ne.jp/mdii-image.jpg"}}
-    end
-
-    test "save file to local if MDII  isn`t available", %{file_upload: file_upload} do
-      mock(fn
-        %{method: :post, url: "https://mdii.sakura.ne.jp/mdii-post.cgi?jpg"} ->
-          %Tesla.Env{status: 500}
-      end)
-
-      assert MDII.put_file(file_upload) == :ok
-
-      assert Path.join([Pleroma.Uploaders.Local.upload_path(), file_upload.path])
-             |> File.exists?()
-    end
-  end
-end

test/uploaders/s3_test.exs

@@ -79,4 +79,11 @@ defmodule Pleroma.Uploaders.S3Test do
       end
     end
   end
+
+  describe "delete_file/1" do
+    test_with_mock "deletes file", ExAws, request: fn _req -> {:ok, %{status_code: 204}} end do
+      assert :ok = S3.delete_file("image.jpg")
+      assert_called(ExAws.request(:_))
+    end
+  end
 end

test/user_test.exs

@@ -17,6 +17,7 @@ defmodule Pleroma.UserTest do
 
   import Mock
   import Pleroma.Factory
+  import ExUnit.CaptureLog
 
   setup_all do
     Tesla.Mock.mock_global(fn env -> apply(HttpRequestMock, :request, [env]) end)
@@ -26,6 +27,42 @@ defmodule Pleroma.UserTest do
   clear_config([:instance, :account_activation_required])
 
   describe "service actors" do
+    test "returns updated invisible actor" do
+      uri = "#{Pleroma.Web.Endpoint.url()}/relay"
+      followers_uri = "#{uri}/followers"
+
+      insert(
+        :user,
+        %{
+          nickname: "relay",
+          invisible: false,
+          local: true,
+          ap_id: uri,
+          follower_address: followers_uri
+        }
+      )
+
+      actor = User.get_or_create_service_actor_by_ap_id(uri, "relay")
+      assert actor.invisible
+    end
+
+    test "returns relay user" do
+      uri = "#{Pleroma.Web.Endpoint.url()}/relay"
+      followers_uri = "#{uri}/followers"
+
+      assert %User{
+               nickname: "relay",
+               invisible: true,
+               local: true,
+               ap_id: ^uri,
+               follower_address: ^followers_uri
+             } = User.get_or_create_service_actor_by_ap_id(uri, "relay")
+
+      assert capture_log(fn ->
+               refute User.get_or_create_service_actor_by_ap_id("/relay", "relay")
+             end) =~ "Cannot create service actor:"
+    end
+
     test "returns invisible actor" do
       uri = "#{Pleroma.Web.Endpoint.url()}/internal/fetch-test"
       followers_uri = "#{uri}/followers"

test/web/activity_pub/activity_pub_test.exs

@@ -1623,6 +1623,44 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubTest do
       assert follow_info.following_count == 32
       assert follow_info.hide_follows == true
     end
+
+    test "doesn't crash when follower and following counters are hidden" do
+      mock(fn env ->
+        case env.url do
+          "http://localhost:4001/users/masto_hidden_counters/following" ->
+            json(%{
+              "@context" => "https://www.w3.org/ns/activitystreams",
+              "id" => "http://localhost:4001/users/masto_hidden_counters/followers"
+            })
+
+          "http://localhost:4001/users/masto_hidden_counters/following?page=1" ->
+            %Tesla.Env{status: 403, body: ""}
+
+          "http://localhost:4001/users/masto_hidden_counters/followers" ->
+            json(%{
+              "@context" => "https://www.w3.org/ns/activitystreams",
+              "id" => "http://localhost:4001/users/masto_hidden_counters/following"
+            })
+
+          "http://localhost:4001/users/masto_hidden_counters/followers?page=1" ->
+            %Tesla.Env{status: 403, body: ""}
+        end
+      end)
+
+      user =
+        insert(:user,
+          local: false,
+          follower_address: "http://localhost:4001/users/masto_hidden_counters/followers",
+          following_address: "http://localhost:4001/users/masto_hidden_counters/following"
+        )
+
+      {:ok, follow_info} = ActivityPub.fetch_follow_information_for_user(user)
+
+      assert follow_info.hide_followers == true
+      assert follow_info.follower_count == 0
+      assert follow_info.hide_follows == true
+      assert follow_info.following_count == 0
+    end
   end
 
   describe "fetch_favourites/3" do

test/web/activity_pub/publisher_test.exs

@@ -23,6 +23,27 @@ defmodule Pleroma.Web.ActivityPub.PublisherTest do
     :ok
   end
 
+  describe "gather_webfinger_links/1" do
+    test "it returns links" do
+      user = insert(:user)
+
+      expected_links = [
+        %{"href" => user.ap_id, "rel" => "self", "type" => "application/activity+json"},
+        %{
+          "href" => user.ap_id,
+          "rel" => "self",
+          "type" => "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\""
+        },
+        %{
+          "rel" => "http://ostatus.org/schema/1.0/subscribe",
+          "template" => "#{Pleroma.Web.base_url()}/ostatus_subscribe?acct={uri}"
+        }
+      ]
+
+      assert expected_links == Publisher.gather_webfinger_links(user)
+    end
+  end
+
   describe "determine_inbox/2" do
     test "it returns sharedInbox for messages involving as:Public in to" do
       user =

test/web/masto_fe_controller_test.exs

@@ -18,6 +18,7 @@ defmodule Pleroma.Web.MastodonAPI.MastoFEController do
     conn =
       conn
       |> assign(:user, user)
+      |> assign(:token, insert(:oauth_token, user: user, scopes: ["write:accounts"]))
       |> put("/api/web/settings", %{"data" => %{"programming" => "socks"}})
 
     assert _result = json_response(conn, 200)
@@ -63,12 +64,12 @@ defmodule Pleroma.Web.MastodonAPI.MastoFEController do
     end
 
     test "does not redirect logged in users to the login page", %{conn: conn, path: path} do
-      token = insert(:oauth_token)
+      token = insert(:oauth_token, scopes: ["read"])
 
       conn =
         conn
         |> assign(:user, token.user)
-        |> put_session(:oauth_token, token.token)
+        |> assign(:token, token)
         |> get(path)
 
       assert conn.status == 200

test/web/mastodon_api/controllers/account_controller/update_credentials_test.exs

@@ -12,13 +12,11 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController.UpdateCredentialsTest do
   clear_config([:instance, :max_account_fields])
 
   describe "updating credentials" do
-    test "sets user settings in a generic way", %{conn: conn} do
-      user = insert(:user)
+    setup do: oauth_access(["write:accounts"])
 
+    test "sets user settings in a generic way", %{conn: conn} do
       res_conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{
+        patch(conn, "/api/v1/accounts/update_credentials", %{
           "pleroma_settings_store" => %{
             pleroma_fe: %{
               theme: "bla"
@@ -26,10 +24,10 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController.UpdateCredentialsTest do
           }
         })
 
-      assert user = json_response(res_conn, 200)
-      assert user["pleroma"]["settings_store"] == %{"pleroma_fe" => %{"theme" => "bla"}}
+      assert user_data = json_response(res_conn, 200)
+      assert user_data["pleroma"]["settings_store"] == %{"pleroma_fe" => %{"theme" => "bla"}}
 
-      user = Repo.get(User, user["id"])
+      user = Repo.get(User, user_data["id"])
 
       res_conn =
         conn
@@ -42,15 +40,15 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController.UpdateCredentialsTest do
           }
         })
 
-      assert user = json_response(res_conn, 200)
+      assert user_data = json_response(res_conn, 200)
 
-      assert user["pleroma"]["settings_store"] ==
+      assert user_data["pleroma"]["settings_store"] ==
                %{
                  "pleroma_fe" => %{"theme" => "bla"},
                  "masto_fe" => %{"theme" => "bla"}
                }
 
-      user = Repo.get(User, user["id"])
+      user = Repo.get(User, user_data["id"])
 
       res_conn =
         conn
@@ -63,9 +61,9 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController.UpdateCredentialsTest do
           }
         })
 
-      assert user = json_response(res_conn, 200)
+      assert user_data = json_response(res_conn, 200)
 
-      assert user["pleroma"]["settings_store"] ==
+      assert user_data["pleroma"]["settings_store"] ==
                %{
                  "pleroma_fe" => %{"theme" => "bla"},
                  "masto_fe" => %{"theme" => "blub"}
@@ -73,97 +71,67 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController.UpdateCredentialsTest do
     end
 
     test "updates the user's bio", %{conn: conn} do
-      user = insert(:user)
       user2 = insert(:user)
 
       conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{
+        patch(conn, "/api/v1/accounts/update_credentials", %{
           "note" => "I drink #cofe with @#{user2.nickname}"
         })
 
-      assert user = json_response(conn, 200)
+      assert user_data = json_response(conn, 200)
 
-      assert user["note"] ==
+      assert user_data["note"] ==
                ~s(I drink <a class="hashtag" data-tag="cofe" href="http://localhost:4001/tag/cofe">#cofe</a> with <span class="h-card"><a data-user="#{
                  user2.id
                }" class="u-url mention" href="#{user2.ap_id}" rel="ugc">@<span>#{user2.nickname}</span></a></span>)
     end
 
     test "updates the user's locking status", %{conn: conn} do
-      user = insert(:user)
+      conn = patch(conn, "/api/v1/accounts/update_credentials", %{locked: "true"})
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{locked: "true"})
-
-      assert user = json_response(conn, 200)
-      assert user["locked"] == true
+      assert user_data = json_response(conn, 200)
+      assert user_data["locked"] == true
     end
 
-    test "updates the user's allow_following_move", %{conn: conn} do
-      user = insert(:user)
-
+    test "updates the user's allow_following_move", %{user: user, conn: conn} do
       assert user.allow_following_move == true
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{allow_following_move: "false"})
+      conn = patch(conn, "/api/v1/accounts/update_credentials", %{allow_following_move: "false"})
 
       assert refresh_record(user).allow_following_move == false
-      assert user = json_response(conn, 200)
-      assert user["pleroma"]["allow_following_move"] == false
+      assert user_data = json_response(conn, 200)
+      assert user_data["pleroma"]["allow_following_move"] == false
     end
 
     test "updates the user's default scope", %{conn: conn} do
-      user = insert(:user)
+      conn = patch(conn, "/api/v1/accounts/update_credentials", %{default_scope: "cofe"})
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{default_scope: "cofe"})
-
-      assert user = json_response(conn, 200)
-      assert user["source"]["privacy"] == "cofe"
+      assert user_data = json_response(conn, 200)
+      assert user_data["source"]["privacy"] == "cofe"
     end
 
     test "updates the user's hide_followers status", %{conn: conn} do
-      user = insert(:user)
+      conn = patch(conn, "/api/v1/accounts/update_credentials", %{hide_followers: "true"})
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{hide_followers: "true"})
-
-      assert user = json_response(conn, 200)
-      assert user["pleroma"]["hide_followers"] == true
+      assert user_data = json_response(conn, 200)
+      assert user_data["pleroma"]["hide_followers"] == true
     end
 
     test "updates the user's hide_followers_count and hide_follows_count", %{conn: conn} do
-      user = insert(:user)
-
       conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{
+        patch(conn, "/api/v1/accounts/update_credentials", %{
           hide_followers_count: "true",
           hide_follows_count: "true"
         })
 
-      assert user = json_response(conn, 200)
-      assert user["pleroma"]["hide_followers_count"] == true
-      assert user["pleroma"]["hide_follows_count"] == true
+      assert user_data = json_response(conn, 200)
+      assert user_data["pleroma"]["hide_followers_count"] == true
+      assert user_data["pleroma"]["hide_follows_count"] == true
     end
 
-    test "updates the user's skip_thread_containment option", %{conn: conn} do
-      user = insert(:user)
-
+    test "updates the user's skip_thread_containment option", %{user: user, conn: conn} do
       response =
         conn
-        |> assign(:user, user)
         |> patch("/api/v1/accounts/update_credentials", %{skip_thread_containment: "true"})
         |> json_response(200)
 
@@ -172,104 +140,68 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController.UpdateCredentialsTest do
     end
 
     test "updates the user's hide_follows status", %{conn: conn} do
-      user = insert(:user)
+      conn = patch(conn, "/api/v1/accounts/update_credentials", %{hide_follows: "true"})
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{hide_follows: "true"})
-
-      assert user = json_response(conn, 200)
-      assert user["pleroma"]["hide_follows"] == true
+      assert user_data = json_response(conn, 200)
+      assert user_data["pleroma"]["hide_follows"] == true
     end
 
     test "updates the user's hide_favorites status", %{conn: conn} do
-      user = insert(:user)
+      conn = patch(conn, "/api/v1/accounts/update_credentials", %{hide_favorites: "true"})
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{hide_favorites: "true"})
-
-      assert user = json_response(conn, 200)
-      assert user["pleroma"]["hide_favorites"] == true
+      assert user_data = json_response(conn, 200)
+      assert user_data["pleroma"]["hide_favorites"] == true
     end
 
     test "updates the user's show_role status", %{conn: conn} do
-      user = insert(:user)
+      conn = patch(conn, "/api/v1/accounts/update_credentials", %{show_role: "false"})
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{show_role: "false"})
-
-      assert user = json_response(conn, 200)
-      assert user["source"]["pleroma"]["show_role"] == false
+      assert user_data = json_response(conn, 200)
+      assert user_data["source"]["pleroma"]["show_role"] == false
     end
 
     test "updates the user's no_rich_text status", %{conn: conn} do
-      user = insert(:user)
+      conn = patch(conn, "/api/v1/accounts/update_credentials", %{no_rich_text: "true"})
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{no_rich_text: "true"})
-
-      assert user = json_response(conn, 200)
-      assert user["source"]["pleroma"]["no_rich_text"] == true
+      assert user_data = json_response(conn, 200)
+      assert user_data["source"]["pleroma"]["no_rich_text"] == true
     end
 
     test "updates the user's name", %{conn: conn} do
-      user = insert(:user)
-
       conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{"display_name" => "markorepairs"})
+        patch(conn, "/api/v1/accounts/update_credentials", %{"display_name" => "markorepairs"})
 
-      assert user = json_response(conn, 200)
-      assert user["display_name"] == "markorepairs"
+      assert user_data = json_response(conn, 200)
+      assert user_data["display_name"] == "markorepairs"
     end
 
-    test "updates the user's avatar", %{conn: conn} do
-      user = insert(:user)
-
+    test "updates the user's avatar", %{user: user, conn: conn} do
       new_avatar = %Plug.Upload{
         content_type: "image/jpg",
         path: Path.absname("test/fixtures/image.jpg"),
         filename: "an_image.jpg"
       }
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{"avatar" => new_avatar})
+      conn = patch(conn, "/api/v1/accounts/update_credentials", %{"avatar" => new_avatar})
 
       assert user_response = json_response(conn, 200)
       assert user_response["avatar"] != User.avatar_url(user)
     end
 
-    test "updates the user's banner", %{conn: conn} do
-      user = insert(:user)
-
+    test "updates the user's banner", %{user: user, conn: conn} do
       new_header = %Plug.Upload{
         content_type: "image/jpg",
         path: Path.absname("test/fixtures/image.jpg"),
         filename: "an_image.jpg"
       }
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{"header" => new_header})
+      conn = patch(conn, "/api/v1/accounts/update_credentials", %{"header" => new_header})
 
       assert user_response = json_response(conn, 200)
       assert user_response["header"] != User.banner_url(user)
     end
 
     test "updates the user's background", %{conn: conn} do
-      user = insert(:user)
-
       new_header = %Plug.Upload{
         content_type: "image/jpg",
         path: Path.absname("test/fixtures/image.jpg"),
@@ -277,9 +209,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController.UpdateCredentialsTest do
       }
 
       conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{
+        patch(conn, "/api/v1/accounts/update_credentials", %{
           "pleroma_background_image" => new_header
         })
 
@@ -287,13 +217,13 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController.UpdateCredentialsTest do
       assert user_response["pleroma"]["background_image"]
     end
 
-    test "requires 'write:accounts' permission", %{conn: conn} do
+    test "requires 'write:accounts' permission" do
       token1 = insert(:oauth_token, scopes: ["read"])
       token2 = insert(:oauth_token, scopes: ["write", "follow"])
 
       for token <- [token1, token2] do
         conn =
-          conn
+          build_conn()
           |> put_req_header("authorization", "Bearer #{token.token}")
           |> patch("/api/v1/accounts/update_credentials", %{})
 
@@ -306,53 +236,44 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController.UpdateCredentialsTest do
       end
     end
 
-    test "updates profile emojos", %{conn: conn} do
-      user = insert(:user)
-
+    test "updates profile emojos", %{user: user, conn: conn} do
       note = "*sips :blank:*"
       name = "I am :firefox:"
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{
+      ret_conn =
+        patch(conn, "/api/v1/accounts/update_credentials", %{
           "note" => note,
           "display_name" => name
         })
 
-      assert json_response(conn, 200)
+      assert json_response(ret_conn, 200)
 
-      conn =
-        conn
-        |> get("/api/v1/accounts/#{user.id}")
+      conn = get(conn, "/api/v1/accounts/#{user.id}")
 
-      assert user = json_response(conn, 200)
+      assert user_data = json_response(conn, 200)
 
-      assert user["note"] == note
-      assert user["display_name"] == name
-      assert [%{"shortcode" => "blank"}, %{"shortcode" => "firefox"}] = user["emojis"]
+      assert user_data["note"] == note
+      assert user_data["display_name"] == name
+      assert [%{"shortcode" => "blank"}, %{"shortcode" => "firefox"}] = user_data["emojis"]
     end
 
     test "update fields", %{conn: conn} do
-      user = insert(:user)
-
       fields = [
         %{"name" => "<a href=\"http://google.com\">foo</a>", "value" => "<script>bar</script>"},
         %{"name" => "link", "value" => "cofe.io"}
       ]
 
-      account =
+      account_data =
         conn
-        |> assign(:user, user)
         |> patch("/api/v1/accounts/update_credentials", %{"fields_attributes" => fields})
         |> json_response(200)
 
-      assert account["fields"] == [
+      assert account_data["fields"] == [
                %{"name" => "foo", "value" => "bar"},
                %{"name" => "link", "value" => ~S(<a href="http://cofe.io" rel="ugc">cofe.io</a>)}
              ]
 
-      assert account["source"]["fields"] == [
+      assert account_data["source"]["fields"] == [
                %{
                  "name" => "<a href=\"http://google.com\">foo</a>",
                  "value" => "<script>bar</script>"
@@ -372,7 +293,6 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController.UpdateCredentialsTest do
       account =
         conn
         |> put_req_header("content-type", "application/x-www-form-urlencoded")
-        |> assign(:user, user)
         |> patch("/api/v1/accounts/update_credentials", fields)
         |> json_response(200)
 
@@ -398,7 +318,6 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController.UpdateCredentialsTest do
 
       assert %{"error" => "Invalid request"} ==
                conn
-               |> assign(:user, user)
                |> patch("/api/v1/accounts/update_credentials", %{"fields_attributes" => fields})
                |> json_response(403)
 
@@ -408,7 +327,6 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController.UpdateCredentialsTest do
 
       assert %{"error" => "Invalid request"} ==
                conn
-               |> assign(:user, user)
                |> patch("/api/v1/accounts/update_credentials", %{"fields_attributes" => fields})
                |> json_response(403)
 
@@ -421,7 +339,6 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController.UpdateCredentialsTest do
 
       assert %{"error" => "Invalid request"} ==
                conn
-               |> assign(:user, user)
                |> patch("/api/v1/accounts/update_credentials", %{"fields_attributes" => fields})
                |> json_response(403)
 
@@ -432,7 +349,6 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController.UpdateCredentialsTest do
 
       account =
         conn
-        |> assign(:user, user)
         |> patch("/api/v1/accounts/update_credentials", %{"fields_attributes" => fields})
         |> json_response(200)
 

test/web/mastodon_api/controllers/account_controller_test.exs

@@ -87,6 +87,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
       conn =
         build_conn()
         |> assign(:user, reading_user)
+        |> assign(:token, insert(:oauth_token, user: reading_user, scopes: ["read:accounts"]))
         |> get("/api/v1/accounts/#{user.nickname}")
 
       Pleroma.Config.put([:instance, :limit_to_local_content], limit_to_local)
@@ -144,8 +145,9 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
   end
 
   describe "user timelines" do
-    test "respects blocks", %{conn: conn} do
-      user_one = insert(:user)
+    setup do: oauth_access(["read:statuses"])
+
+    test "respects blocks", %{user: user_one, conn: conn} do
       user_two = insert(:user)
       user_three = insert(:user)
 
@@ -154,46 +156,35 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
       {:ok, activity} = CommonAPI.post(user_two, %{"status" => "User one sux0rz"})
       {:ok, repeat, _} = CommonAPI.repeat(activity.id, user_three)
 
-      resp =
-        conn
-        |> get("/api/v1/accounts/#{user_two.id}/statuses")
+      resp = get(conn, "/api/v1/accounts/#{user_two.id}/statuses")
 
       assert [%{"id" => id}] = json_response(resp, 200)
       assert id == activity.id
 
       # Even a blocked user will deliver the full user timeline, there would be
-      # no point in looking at a blocked users timeline otherwise
-      resp =
-        conn
-        |> assign(:user, user_one)
-        |> get("/api/v1/accounts/#{user_two.id}/statuses")
+      #   no point in looking at a blocked users timeline otherwise
+      resp = get(conn, "/api/v1/accounts/#{user_two.id}/statuses")
 
       assert [%{"id" => id}] = json_response(resp, 200)
       assert id == activity.id
 
-      resp =
-        conn
-        |> get("/api/v1/accounts/#{user_three.id}/statuses")
-
+      # Third user's timeline includes the repeat when viewed by unauthenticated user
+      resp = get(build_conn(), "/api/v1/accounts/#{user_three.id}/statuses")
       assert [%{"id" => id}] = json_response(resp, 200)
       assert id == repeat.id
 
-      # When viewing a third user's timeline, the blocked users will NOT be
-      # shown.
-      resp =
-        conn
-        |> assign(:user, user_one)
-        |> get("/api/v1/accounts/#{user_three.id}/statuses")
+      # When viewing a third user's timeline, the blocked users' statuses will NOT be shown
+      resp = get(conn, "/api/v1/accounts/#{user_three.id}/statuses")
 
       assert [] = json_response(resp, 200)
     end
 
-    test "gets a users statuses", %{conn: conn} do
+    test "gets users statuses", %{conn: conn} do
       user_one = insert(:user)
       user_two = insert(:user)
       user_three = insert(:user)
 
-      {:ok, user_three} = User.follow(user_three, user_one)
+      {:ok, _user_three} = User.follow(user_three, user_one)
 
       {:ok, activity} = CommonAPI.post(user_one, %{"status" => "HI!!!"})
 
@@ -206,9 +197,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
       {:ok, private_activity} =
         CommonAPI.post(user_one, %{"status" => "private", "visibility" => "private"})
 
-      resp =
-        conn
-        |> get("/api/v1/accounts/#{user_one.id}/statuses")
+      resp = get(conn, "/api/v1/accounts/#{user_one.id}/statuses")
 
       assert [%{"id" => id}] = json_response(resp, 200)
       assert id == to_string(activity.id)
@@ -216,6 +205,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
       resp =
         conn
         |> assign(:user, user_two)
+        |> assign(:token, insert(:oauth_token, user: user_two, scopes: ["read:statuses"]))
         |> get("/api/v1/accounts/#{user_one.id}/statuses")
 
       assert [%{"id" => id_one}, %{"id" => id_two}] = json_response(resp, 200)
@@ -225,6 +215,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
       resp =
         conn
         |> assign(:user, user_three)
+        |> assign(:token, insert(:oauth_token, user: user_three, scopes: ["read:statuses"]))
         |> get("/api/v1/accounts/#{user_one.id}/statuses")
 
       assert [%{"id" => id_one}, %{"id" => id_two}] = json_response(resp, 200)
@@ -236,9 +227,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
       note = insert(:note_activity)
       user = User.get_cached_by_ap_id(note.data["actor"])
 
-      conn =
-        conn
-        |> get("/api/v1/accounts/#{user.id}/statuses?pinned=true")
+      conn = get(conn, "/api/v1/accounts/#{user.id}/statuses?pinned=true")
 
       assert json_response(conn, 200) == []
     end
@@ -257,63 +246,51 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
 
       {:ok, image_post} = CommonAPI.post(user, %{"status" => "cofe", "media_ids" => [media_id]})
 
-      conn =
-        conn
-        |> get("/api/v1/accounts/#{user.id}/statuses", %{"only_media" => "true"})
+      conn = get(conn, "/api/v1/accounts/#{user.id}/statuses", %{"only_media" => "true"})
 
       assert [%{"id" => id}] = json_response(conn, 200)
       assert id == to_string(image_post.id)
 
-      conn =
-        build_conn()
-        |> get("/api/v1/accounts/#{user.id}/statuses", %{"only_media" => "1"})
+      conn = get(build_conn(), "/api/v1/accounts/#{user.id}/statuses", %{"only_media" => "1"})
 
       assert [%{"id" => id}] = json_response(conn, 200)
       assert id == to_string(image_post.id)
     end
 
-    test "gets a user's statuses without reblogs", %{conn: conn} do
-      user = insert(:user)
+    test "gets a user's statuses without reblogs", %{user: user, conn: conn} do
       {:ok, post} = CommonAPI.post(user, %{"status" => "HI!!!"})
       {:ok, _, _} = CommonAPI.repeat(post.id, user)
 
-      conn =
-        conn
-        |> get("/api/v1/accounts/#{user.id}/statuses", %{"exclude_reblogs" => "true"})
+      conn = get(conn, "/api/v1/accounts/#{user.id}/statuses", %{"exclude_reblogs" => "true"})
 
       assert [%{"id" => id}] = json_response(conn, 200)
       assert id == to_string(post.id)
 
-      conn =
-        conn
-        |> get("/api/v1/accounts/#{user.id}/statuses", %{"exclude_reblogs" => "1"})
+      conn = get(conn, "/api/v1/accounts/#{user.id}/statuses", %{"exclude_reblogs" => "1"})
 
       assert [%{"id" => id}] = json_response(conn, 200)
       assert id == to_string(post.id)
     end
 
-    test "filters user's statuses by a hashtag", %{conn: conn} do
-      user = insert(:user)
+    test "filters user's statuses by a hashtag", %{user: user, conn: conn} do
       {:ok, post} = CommonAPI.post(user, %{"status" => "#hashtag"})
       {:ok, _post} = CommonAPI.post(user, %{"status" => "hashtag"})
 
-      conn =
-        conn
-        |> get("/api/v1/accounts/#{user.id}/statuses", %{"tagged" => "hashtag"})
+      conn = get(conn, "/api/v1/accounts/#{user.id}/statuses", %{"tagged" => "hashtag"})
 
       assert [%{"id" => id}] = json_response(conn, 200)
       assert id == to_string(post.id)
     end
 
-    test "the user views their own timelines and excludes direct messages", %{conn: conn} do
-      user = insert(:user)
+    test "the user views their own timelines and excludes direct messages", %{
+      user: user,
+      conn: conn
+    } do
       {:ok, public_activity} = CommonAPI.post(user, %{"status" => ".", "visibility" => "public"})
       {:ok, _direct_activity} = CommonAPI.post(user, %{"status" => ".", "visibility" => "direct"})
 
       conn =
-        conn
-        |> assign(:user, user)
-        |> get("/api/v1/accounts/#{user.id}/statuses", %{"exclude_visibilities" => ["direct"]})
+        get(conn, "/api/v1/accounts/#{user.id}/statuses", %{"exclude_visibilities" => ["direct"]})
 
       assert [%{"id" => id}] = json_response(conn, 200)
       assert id == to_string(public_activity.id)
@@ -321,46 +298,42 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
   end
 
   describe "followers" do
-    test "getting followers", %{conn: conn} do
-      user = insert(:user)
+    setup do: oauth_access(["read:accounts"])
+
+    test "getting followers", %{user: user, conn: conn} do
       other_user = insert(:user)
       {:ok, user} = User.follow(user, other_user)
 
-      conn =
-        conn
-        |> get("/api/v1/accounts/#{other_user.id}/followers")
+      conn = get(conn, "/api/v1/accounts/#{other_user.id}/followers")
 
       assert [%{"id" => id}] = json_response(conn, 200)
       assert id == to_string(user.id)
     end
 
-    test "getting followers, hide_followers", %{conn: conn} do
-      user = insert(:user)
+    test "getting followers, hide_followers", %{user: user, conn: conn} do
       other_user = insert(:user, hide_followers: true)
       {:ok, _user} = User.follow(user, other_user)
 
-      conn =
-        conn
-        |> get("/api/v1/accounts/#{other_user.id}/followers")
+      conn = get(conn, "/api/v1/accounts/#{other_user.id}/followers")
 
       assert [] == json_response(conn, 200)
     end
 
-    test "getting followers, hide_followers, same user requesting", %{conn: conn} do
+    test "getting followers, hide_followers, same user requesting" do
       user = insert(:user)
       other_user = insert(:user, hide_followers: true)
       {:ok, _user} = User.follow(user, other_user)
 
       conn =
-        conn
+        build_conn()
         |> assign(:user, other_user)
+        |> assign(:token, insert(:oauth_token, user: other_user, scopes: ["read:accounts"]))
         |> get("/api/v1/accounts/#{other_user.id}/followers")
 
       refute [] == json_response(conn, 200)
     end
 
-    test "getting followers, pagination", %{conn: conn} do
-      user = insert(:user)
+    test "getting followers, pagination", %{user: user, conn: conn} do
       follower1 = insert(:user)
       follower2 = insert(:user)
       follower3 = insert(:user)
@@ -368,29 +341,19 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
       {:ok, _} = User.follow(follower2, user)
       {:ok, _} = User.follow(follower3, user)
 
-      conn =
-        conn
-        |> assign(:user, user)
-
-      res_conn =
-        conn
-        |> get("/api/v1/accounts/#{user.id}/followers?since_id=#{follower1.id}")
+      res_conn = get(conn, "/api/v1/accounts/#{user.id}/followers?since_id=#{follower1.id}")
 
       assert [%{"id" => id3}, %{"id" => id2}] = json_response(res_conn, 200)
       assert id3 == follower3.id
       assert id2 == follower2.id
 
-      res_conn =
-        conn
-        |> get("/api/v1/accounts/#{user.id}/followers?max_id=#{follower3.id}")
+      res_conn = get(conn, "/api/v1/accounts/#{user.id}/followers?max_id=#{follower3.id}")
 
       assert [%{"id" => id2}, %{"id" => id1}] = json_response(res_conn, 200)
       assert id2 == follower2.id
       assert id1 == follower1.id
 
-      res_conn =
-        conn
-        |> get("/api/v1/accounts/#{user.id}/followers?limit=1&max_id=#{follower3.id}")
+      res_conn = get(conn, "/api/v1/accounts/#{user.id}/followers?limit=1&max_id=#{follower3.id}")
 
       assert [%{"id" => id2}] = json_response(res_conn, 200)
       assert id2 == follower2.id
@@ -402,46 +365,47 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
   end
 
   describe "following" do
-    test "getting following", %{conn: conn} do
-      user = insert(:user)
+    setup do: oauth_access(["read:accounts"])
+
+    test "getting following", %{user: user, conn: conn} do
       other_user = insert(:user)
       {:ok, user} = User.follow(user, other_user)
 
-      conn =
-        conn
-        |> get("/api/v1/accounts/#{user.id}/following")
+      conn = get(conn, "/api/v1/accounts/#{user.id}/following")
 
       assert [%{"id" => id}] = json_response(conn, 200)
       assert id == to_string(other_user.id)
     end
 
-    test "getting following, hide_follows", %{conn: conn} do
+    test "getting following, hide_follows, other user requesting" do
       user = insert(:user, hide_follows: true)
       other_user = insert(:user)
       {:ok, user} = User.follow(user, other_user)
 
       conn =
-        conn
+        build_conn()
+        |> assign(:user, other_user)
+        |> assign(:token, insert(:oauth_token, user: other_user, scopes: ["read:accounts"]))
         |> get("/api/v1/accounts/#{user.id}/following")
 
       assert [] == json_response(conn, 200)
     end
 
-    test "getting following, hide_follows, same user requesting", %{conn: conn} do
+    test "getting following, hide_follows, same user requesting" do
       user = insert(:user, hide_follows: true)
       other_user = insert(:user)
       {:ok, user} = User.follow(user, other_user)
 
       conn =
-        conn
+        build_conn()
         |> assign(:user, user)
+        |> assign(:token, insert(:oauth_token, user: user, scopes: ["read:accounts"]))
         |> get("/api/v1/accounts/#{user.id}/following")
 
       refute [] == json_response(conn, 200)
     end
 
-    test "getting following, pagination", %{conn: conn} do
-      user = insert(:user)
+    test "getting following, pagination", %{user: user, conn: conn} do
       following1 = insert(:user)
       following2 = insert(:user)
       following3 = insert(:user)
@@ -449,29 +413,20 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
       {:ok, _} = User.follow(user, following2)
       {:ok, _} = User.follow(user, following3)
 
-      conn =
-        conn
-        |> assign(:user, user)
-
-      res_conn =
-        conn
-        |> get("/api/v1/accounts/#{user.id}/following?since_id=#{following1.id}")
+      res_conn = get(conn, "/api/v1/accounts/#{user.id}/following?since_id=#{following1.id}")
 
       assert [%{"id" => id3}, %{"id" => id2}] = json_response(res_conn, 200)
       assert id3 == following3.id
       assert id2 == following2.id
 
-      res_conn =
-        conn
-        |> get("/api/v1/accounts/#{user.id}/following?max_id=#{following3.id}")
+      res_conn = get(conn, "/api/v1/accounts/#{user.id}/following?max_id=#{following3.id}")
 
       assert [%{"id" => id2}, %{"id" => id1}] = json_response(res_conn, 200)
       assert id2 == following2.id
       assert id1 == following1.id
 
       res_conn =
-        conn
-        |> get("/api/v1/accounts/#{user.id}/following?limit=1&max_id=#{following3.id}")
+        get(conn, "/api/v1/accounts/#{user.id}/following?limit=1&max_id=#{following3.id}")
 
       assert [%{"id" => id2}] = json_response(res_conn, 200)
       assert id2 == following2.id
@@ -483,82 +438,52 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
   end
 
   describe "follow/unfollow" do
+    setup do: oauth_access(["follow"])
+
     test "following / unfollowing a user", %{conn: conn} do
-      user = insert(:user)
       other_user = insert(:user)
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/accounts/#{other_user.id}/follow")
+      ret_conn = post(conn, "/api/v1/accounts/#{other_user.id}/follow")
 
-      assert %{"id" => _id, "following" => true} = json_response(conn, 200)
+      assert %{"id" => _id, "following" => true} = json_response(ret_conn, 200)
 
-      user = User.get_cached_by_id(user.id)
+      ret_conn = post(conn, "/api/v1/accounts/#{other_user.id}/unfollow")
 
-      conn =
-        build_conn()
-        |> assign(:user, user)
-        |> post("/api/v1/accounts/#{other_user.id}/unfollow")
+      assert %{"id" => _id, "following" => false} = json_response(ret_conn, 200)
 
-      assert %{"id" => _id, "following" => false} = json_response(conn, 200)
-
-      user = User.get_cached_by_id(user.id)
-
-      conn =
-        build_conn()
-        |> assign(:user, user)
-        |> post("/api/v1/follows", %{"uri" => other_user.nickname})
+      conn = post(conn, "/api/v1/follows", %{"uri" => other_user.nickname})
 
       assert %{"id" => id} = json_response(conn, 200)
       assert id == to_string(other_user.id)
     end
 
     test "following without reblogs" do
-      follower = insert(:user)
+      %{conn: conn} = oauth_access(["follow", "read:statuses"])
       followed = insert(:user)
       other_user = insert(:user)
 
-      conn =
-        build_conn()
-        |> assign(:user, follower)
-        |> post("/api/v1/accounts/#{followed.id}/follow?reblogs=false")
+      ret_conn = post(conn, "/api/v1/accounts/#{followed.id}/follow?reblogs=false")
 
-      assert %{"showing_reblogs" => false} = json_response(conn, 200)
+      assert %{"showing_reblogs" => false} = json_response(ret_conn, 200)
 
       {:ok, activity} = CommonAPI.post(other_user, %{"status" => "hey"})
       {:ok, reblog, _} = CommonAPI.repeat(activity.id, followed)
 
-      conn =
-        build_conn()
-        |> assign(:user, User.get_cached_by_id(follower.id))
-        |> get("/api/v1/timelines/home")
+      ret_conn = get(conn, "/api/v1/timelines/home")
 
-      assert [] == json_response(conn, 200)
+      assert [] == json_response(ret_conn, 200)
 
-      conn =
-        build_conn()
-        |> assign(:user, User.get_cached_by_id(follower.id))
-        |> post("/api/v1/accounts/#{followed.id}/follow?reblogs=true")
+      ret_conn = post(conn, "/api/v1/accounts/#{followed.id}/follow?reblogs=true")
 
-      assert %{"showing_reblogs" => true} = json_response(conn, 200)
+      assert %{"showing_reblogs" => true} = json_response(ret_conn, 200)
 
-      conn =
-        build_conn()
-        |> assign(:user, User.get_cached_by_id(follower.id))
-        |> get("/api/v1/timelines/home")
+      conn = get(conn, "/api/v1/timelines/home")
 
       expected_activity_id = reblog.id
       assert [%{"id" => ^expected_activity_id}] = json_response(conn, 200)
     end
 
-    test "following / unfollowing errors" do
-      user = insert(:user)
-
-      conn =
-        build_conn()
-        |> assign(:user, user)
-
+    test "following / unfollowing errors", %{user: user, conn: conn} do
       # self follow
       conn_res = post(conn, "/api/v1/accounts/#{user.id}/follow")
       assert %{"error" => "Record not found"} = json_response(conn_res, 404)
@@ -588,47 +513,34 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
   end
 
   describe "mute/unmute" do
+    setup do: oauth_access(["write:mutes"])
+
     test "with notifications", %{conn: conn} do
-      user = insert(:user)
       other_user = insert(:user)
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/accounts/#{other_user.id}/mute")
+      ret_conn = post(conn, "/api/v1/accounts/#{other_user.id}/mute")
 
-      response = json_response(conn, 200)
+      response = json_response(ret_conn, 200)
 
       assert %{"id" => _id, "muting" => true, "muting_notifications" => true} = response
-      user = User.get_cached_by_id(user.id)
 
-      conn =
-        build_conn()
-        |> assign(:user, user)
-        |> post("/api/v1/accounts/#{other_user.id}/unmute")
+      conn = post(conn, "/api/v1/accounts/#{other_user.id}/unmute")
 
       response = json_response(conn, 200)
       assert %{"id" => _id, "muting" => false, "muting_notifications" => false} = response
     end
 
     test "without notifications", %{conn: conn} do
-      user = insert(:user)
       other_user = insert(:user)
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/accounts/#{other_user.id}/mute", %{"notifications" => "false"})
+      ret_conn =
+        post(conn, "/api/v1/accounts/#{other_user.id}/mute", %{"notifications" => "false"})
 
-      response = json_response(conn, 200)
+      response = json_response(ret_conn, 200)
 
       assert %{"id" => _id, "muting" => true, "muting_notifications" => false} = response
-      user = User.get_cached_by_id(user.id)
 
-      conn =
-        build_conn()
-        |> assign(:user, user)
-        |> post("/api/v1/accounts/#{other_user.id}/unmute")
+      conn = post(conn, "/api/v1/accounts/#{other_user.id}/unmute")
 
       response = json_response(conn, 200)
       assert %{"id" => _id, "muting" => false, "muting_notifications" => false} = response
@@ -639,8 +551,9 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
     setup do
       user = insert(:user)
       {:ok, activity} = CommonAPI.post(user, %{"status" => "HI!!!"})
+      %{conn: conn} = oauth_access(["read:statuses"], user: user)
 
-      [user: user, activity: activity]
+      [conn: conn, user: user, activity: activity]
     end
 
     test "returns pinned statuses", %{conn: conn, user: user, activity: activity} do
@@ -648,7 +561,6 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
 
       result =
         conn
-        |> assign(:user, user)
         |> get("/api/v1/accounts/#{user.id}/statuses?pinned=true")
         |> json_response(200)
 
@@ -658,23 +570,15 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
     end
   end
 
-  test "blocking / unblocking a user", %{conn: conn} do
-    user = insert(:user)
+  test "blocking / unblocking a user" do
+    %{conn: conn} = oauth_access(["follow"])
     other_user = insert(:user)
 
-    conn =
-      conn
-      |> assign(:user, user)
-      |> post("/api/v1/accounts/#{other_user.id}/block")
+    ret_conn = post(conn, "/api/v1/accounts/#{other_user.id}/block")
 
-    assert %{"id" => _id, "blocking" => true} = json_response(conn, 200)
+    assert %{"id" => _id, "blocking" => true} = json_response(ret_conn, 200)
 
-    user = User.get_cached_by_id(user.id)
-
-    conn =
-      build_conn()
-      |> assign(:user, user)
-      |> post("/api/v1/accounts/#{other_user.id}/unblock")
+    conn = post(conn, "/api/v1/accounts/#{other_user.id}/unblock")
 
     assert %{"id" => _id, "blocking" => false} = json_response(conn, 200)
   end
@@ -693,8 +597,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
 
     test "Account registration via Application", %{conn: conn} do
       conn =
-        conn
-        |> post("/api/v1/apps", %{
+        post(conn, "/api/v1/apps", %{
           client_name: "client_name",
           redirect_uris: "urn:ietf:wg:oauth:2.0:oob",
           scopes: "read, write, follow"
@@ -711,8 +614,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
       } = json_response(conn, 200)
 
       conn =
-        conn
-        |> post("/oauth/token", %{
+        post(conn, "/oauth/token", %{
           grant_type: "client_credentials",
           client_id: client_id,
           client_secret: client_secret
@@ -769,13 +671,13 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
       app_token = insert(:oauth_token, user: nil)
 
       conn =
-        put_req_header(conn, "authorization", "Bearer " <> app_token.token)
+        conn
+        |> put_req_header("authorization", "Bearer " <> app_token.token)
         |> Map.put(:remote_ip, {15, 15, 15, 15})
 
       for i <- 1..5 do
         conn =
-          conn
-          |> post("/api/v1/accounts", %{
+          post(conn, "/api/v1/accounts", %{
             username: "#{i}lain",
             email: "#{i}lain@example.org",
             password: "PlzDontHackLain",
@@ -798,8 +700,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
       end
 
       conn =
-        conn
-        |> post("/api/v1/accounts", %{
+        post(conn, "/api/v1/accounts", %{
           username: "6lain",
           email: "6lain@example.org",
           password: "PlzDontHackLain",
@@ -815,9 +716,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
     } do
       app_token = insert(:oauth_token, user: nil)
 
-      conn =
-        conn
-        |> put_req_header("authorization", "Bearer " <> app_token.token)
+      conn = put_req_header(conn, "authorization", "Bearer " <> app_token.token)
 
       res = post(conn, "/api/v1/accounts", valid_params)
       assert json_response(res, 200)
@@ -836,9 +735,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
     end
 
     test "returns forbidden if token is invalid", %{conn: conn, valid_params: valid_params} do
-      conn =
-        conn
-        |> put_req_header("authorization", "Bearer " <> "invalid-token")
+      conn = put_req_header(conn, "authorization", "Bearer " <> "invalid-token")
 
       res = post(conn, "/api/v1/accounts", valid_params)
       assert json_response(res, 403) == %{"error" => "Invalid credentials"}
@@ -846,15 +743,14 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
   end
 
   describe "GET /api/v1/accounts/:id/lists - account_lists" do
-    test "returns lists to which the account belongs", %{conn: conn} do
-      user = insert(:user)
+    test "returns lists to which the account belongs" do
+      %{user: user, conn: conn} = oauth_access(["read:lists"])
       other_user = insert(:user)
       assert {:ok, %Pleroma.List{} = list} = Pleroma.List.create("Test List", user)
       {:ok, %{following: _following}} = Pleroma.List.follow(list, other_user)
 
       res =
         conn
-        |> assign(:user, user)
         |> get("/api/v1/accounts/#{other_user.id}/lists")
         |> json_response(200)
 
@@ -863,13 +759,9 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
   end
 
   describe "verify_credentials" do
-    test "verify_credentials", %{conn: conn} do
-      user = insert(:user)
-
-      conn =
-        conn
-        |> assign(:user, user)
-        |> get("/api/v1/accounts/verify_credentials")
+    test "verify_credentials" do
+      %{user: user, conn: conn} = oauth_access(["read:accounts"])
+      conn = get(conn, "/api/v1/accounts/verify_credentials")
 
       response = json_response(conn, 200)
 
@@ -878,25 +770,21 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
       assert id == to_string(user.id)
     end
 
-    test "verify_credentials default scope unlisted", %{conn: conn} do
+    test "verify_credentials default scope unlisted" do
       user = insert(:user, default_scope: "unlisted")
+      %{conn: conn} = oauth_access(["read:accounts"], user: user)
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> get("/api/v1/accounts/verify_credentials")
+      conn = get(conn, "/api/v1/accounts/verify_credentials")
 
       assert %{"id" => id, "source" => %{"privacy" => "unlisted"}} = json_response(conn, 200)
       assert id == to_string(user.id)
     end
 
-    test "locked accounts", %{conn: conn} do
+    test "locked accounts" do
       user = insert(:user, default_scope: "private")
+      %{conn: conn} = oauth_access(["read:accounts"], user: user)
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> get("/api/v1/accounts/verify_credentials")
+      conn = get(conn, "/api/v1/accounts/verify_credentials")
 
       assert %{"id" => id, "source" => %{"privacy" => "private"}} = json_response(conn, 200)
       assert id == to_string(user.id)
@@ -904,15 +792,13 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
   end
 
   describe "user relationships" do
-    test "returns the relationships for the current user", %{conn: conn} do
-      user = insert(:user)
-      other_user = insert(:user)
-      {:ok, user} = User.follow(user, other_user)
+    setup do: oauth_access(["read:follows"])
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> get("/api/v1/accounts/relationships", %{"id" => [other_user.id]})
+    test "returns the relationships for the current user", %{user: user, conn: conn} do
+      other_user = insert(:user)
+      {:ok, _user} = User.follow(user, other_user)
+
+      conn = get(conn, "/api/v1/accounts/relationships", %{"id" => [other_user.id]})
 
       assert [relationship] = json_response(conn, 200)
 
@@ -920,34 +806,26 @@ defmodule Pleroma.Web.MastodonAPI.AccountControllerTest do
     end
 
     test "returns an empty list on a bad request", %{conn: conn} do
-      user = insert(:user)
-
-      conn =
-        conn
-        |> assign(:user, user)
-        |> get("/api/v1/accounts/relationships", %{})
+      conn = get(conn, "/api/v1/accounts/relationships", %{})
 
       assert [] = json_response(conn, 200)
     end
   end
 
-  test "getting a list of mutes", %{conn: conn} do
-    user = insert(:user)
+  test "getting a list of mutes" do
+    %{user: user, conn: conn} = oauth_access(["read:mutes"])
     other_user = insert(:user)
 
     {:ok, _user_relationships} = User.mute(user, other_user)
 
-    conn =
-      conn
-      |> assign(:user, user)
-      |> get("/api/v1/mutes")
+    conn = get(conn, "/api/v1/mutes")
 
     other_user_id = to_string(other_user.id)
     assert [%{"id" => ^other_user_id}] = json_response(conn, 200)
   end
 
-  test "getting a list of blocks", %{conn: conn} do
-    user = insert(:user)
+  test "getting a list of blocks" do
+    %{user: user, conn: conn} = oauth_access(["read:blocks"])
     other_user = insert(:user)
 
     {:ok, _user_relationship} = User.block(user, other_user)

test/web/mastodon_api/controllers/conversation_controller_test.exs

@@ -10,8 +10,9 @@ defmodule Pleroma.Web.MastodonAPI.ConversationControllerTest do
 
   import Pleroma.Factory
 
-  test "returns a list of conversations", %{conn: conn} do
-    user_one = insert(:user)
+  setup do: oauth_access(["read:statuses"])
+
+  test "returns a list of conversations", %{user: user_one, conn: conn} do
     user_two = insert(:user)
     user_three = insert(:user)
 
@@ -33,10 +34,7 @@ defmodule Pleroma.Web.MastodonAPI.ConversationControllerTest do
         "visibility" => "private"
       })
 
-    res_conn =
-      conn
-      |> assign(:user, user_one)
-      |> get("/api/v1/conversations")
+    res_conn = get(conn, "/api/v1/conversations")
 
     assert response = json_response(res_conn, 200)
 
@@ -59,8 +57,7 @@ defmodule Pleroma.Web.MastodonAPI.ConversationControllerTest do
     assert User.get_cached_by_id(user_one.id).unread_conversation_count == 0
   end
 
-  test "filters conversations by recipients", %{conn: conn} do
-    user_one = insert(:user)
+  test "filters conversations by recipients", %{user: user_one, conn: conn} do
     user_two = insert(:user)
     user_three = insert(:user)
 
@@ -96,7 +93,6 @@ defmodule Pleroma.Web.MastodonAPI.ConversationControllerTest do
 
     [conversation1, conversation2] =
       conn
-      |> assign(:user, user_one)
       |> get("/api/v1/conversations", %{"recipients" => [user_two.id]})
       |> json_response(200)
 
@@ -105,15 +101,13 @@ defmodule Pleroma.Web.MastodonAPI.ConversationControllerTest do
 
     [conversation1] =
       conn
-      |> assign(:user, user_one)
       |> get("/api/v1/conversations", %{"recipients" => [user_two.id, user_three.id]})
       |> json_response(200)
 
     assert conversation1["last_status"]["id"] == direct3.id
   end
 
-  test "updates the last_status on reply", %{conn: conn} do
-    user_one = insert(:user)
+  test "updates the last_status on reply", %{user: user_one, conn: conn} do
     user_two = insert(:user)
 
     {:ok, direct} =
@@ -131,15 +125,13 @@ defmodule Pleroma.Web.MastodonAPI.ConversationControllerTest do
 
     [%{"last_status" => res_last_status}] =
       conn
-      |> assign(:user, user_one)
       |> get("/api/v1/conversations")
       |> json_response(200)
 
     assert res_last_status["id"] == direct_reply.id
   end
 
-  test "the user marks a conversation as read", %{conn: conn} do
-    user_one = insert(:user)
+  test "the user marks a conversation as read", %{user: user_one, conn: conn} do
     user_two = insert(:user)
 
     {:ok, direct} =
@@ -151,15 +143,21 @@ defmodule Pleroma.Web.MastodonAPI.ConversationControllerTest do
     assert User.get_cached_by_id(user_one.id).unread_conversation_count == 0
     assert User.get_cached_by_id(user_two.id).unread_conversation_count == 1
 
-    [%{"id" => direct_conversation_id, "unread" => true}] =
-      conn
+    user_two_conn =
+      build_conn()
       |> assign(:user, user_two)
+      |> assign(
+        :token,
+        insert(:oauth_token, user: user_two, scopes: ["read:statuses", "write:conversations"])
+      )
+
+    [%{"id" => direct_conversation_id, "unread" => true}] =
+      user_two_conn
       |> get("/api/v1/conversations")
       |> json_response(200)
 
     %{"unread" => false} =
-      conn
-      |> assign(:user, user_two)
+      user_two_conn
       |> post("/api/v1/conversations/#{direct_conversation_id}/read")
       |> json_response(200)
 
@@ -176,7 +174,6 @@ defmodule Pleroma.Web.MastodonAPI.ConversationControllerTest do
 
     [%{"unread" => true}] =
       conn
-      |> assign(:user, user_one)
       |> get("/api/v1/conversations")
       |> json_response(200)
 
@@ -195,8 +192,7 @@ defmodule Pleroma.Web.MastodonAPI.ConversationControllerTest do
     assert User.get_cached_by_id(user_two.id).unread_conversation_count == 0
   end
 
-  test "(vanilla) Mastodon frontend behaviour", %{conn: conn} do
-    user_one = insert(:user)
+  test "(vanilla) Mastodon frontend behaviour", %{user: user_one, conn: conn} do
     user_two = insert(:user)
 
     {:ok, direct} =
@@ -205,10 +201,7 @@ defmodule Pleroma.Web.MastodonAPI.ConversationControllerTest do
         "visibility" => "direct"
       })
 
-    res_conn =
-      conn
-      |> assign(:user, user_one)
-      |> get("/api/v1/statuses/#{direct.id}/context")
+    res_conn = get(conn, "/api/v1/statuses/#{direct.id}/context")
 
     assert %{"ancestors" => [], "descendants" => []} == json_response(res_conn, 200)
   end

test/web/mastodon_api/controllers/domain_block_controller_test.exs

@@ -9,31 +9,25 @@ defmodule Pleroma.Web.MastodonAPI.DomainBlockControllerTest do
 
   import Pleroma.Factory
 
-  test "blocking / unblocking a domain", %{conn: conn} do
-    user = insert(:user)
+  test "blocking / unblocking a domain" do
+    %{user: user, conn: conn} = oauth_access(["write:blocks"])
     other_user = insert(:user, %{ap_id: "https://dogwhistle.zone/@pundit"})
 
-    conn =
-      conn
-      |> assign(:user, user)
-      |> post("/api/v1/domain_blocks", %{"domain" => "dogwhistle.zone"})
+    ret_conn = post(conn, "/api/v1/domain_blocks", %{"domain" => "dogwhistle.zone"})
 
-    assert %{} = json_response(conn, 200)
+    assert %{} = json_response(ret_conn, 200)
     user = User.get_cached_by_ap_id(user.ap_id)
     assert User.blocks?(user, other_user)
 
-    conn =
-      build_conn()
-      |> assign(:user, user)
-      |> delete("/api/v1/domain_blocks", %{"domain" => "dogwhistle.zone"})
+    ret_conn = delete(conn, "/api/v1/domain_blocks", %{"domain" => "dogwhistle.zone"})
 
-    assert %{} = json_response(conn, 200)
+    assert %{} = json_response(ret_conn, 200)
     user = User.get_cached_by_ap_id(user.ap_id)
     refute User.blocks?(user, other_user)
   end
 
-  test "getting a list of domain blocks", %{conn: conn} do
-    user = insert(:user)
+  test "getting a list of domain blocks" do
+    %{user: user, conn: conn} = oauth_access(["read:blocks"])
 
     {:ok, user} = User.block_domain(user, "bad.site")
     {:ok, user} = User.block_domain(user, "even.worse.site")

test/web/mastodon_api/controllers/filter_controller_test.exs

@@ -7,20 +7,15 @@ defmodule Pleroma.Web.MastodonAPI.FilterControllerTest do
 
   alias Pleroma.Web.MastodonAPI.FilterView
 
-  import Pleroma.Factory
-
-  test "creating a filter", %{conn: conn} do
-    user = insert(:user)
+  test "creating a filter" do
+    %{conn: conn} = oauth_access(["write:filters"])
 
     filter = %Pleroma.Filter{
       phrase: "knights",
       context: ["home"]
     }
 
-    conn =
-      conn
-      |> assign(:user, user)
-      |> post("/api/v1/filters", %{"phrase" => filter.phrase, context: filter.context})
+    conn = post(conn, "/api/v1/filters", %{"phrase" => filter.phrase, context: filter.context})
 
     assert response = json_response(conn, 200)
     assert response["phrase"] == filter.phrase
@@ -30,8 +25,8 @@ defmodule Pleroma.Web.MastodonAPI.FilterControllerTest do
     assert response["id"] != ""
   end
 
-  test "fetching a list of filters", %{conn: conn} do
-    user = insert(:user)
+  test "fetching a list of filters" do
+    %{user: user, conn: conn} = oauth_access(["read:filters"])
 
     query_one = %Pleroma.Filter{
       user_id: user.id,
@@ -52,7 +47,6 @@ defmodule Pleroma.Web.MastodonAPI.FilterControllerTest do
 
     response =
       conn
-      |> assign(:user, user)
       |> get("/api/v1/filters")
       |> json_response(200)
 
@@ -64,8 +58,8 @@ defmodule Pleroma.Web.MastodonAPI.FilterControllerTest do
              )
   end
 
-  test "get a filter", %{conn: conn} do
-    user = insert(:user)
+  test "get a filter" do
+    %{user: user, conn: conn} = oauth_access(["read:filters"])
 
     query = %Pleroma.Filter{
       user_id: user.id,
@@ -76,16 +70,13 @@ defmodule Pleroma.Web.MastodonAPI.FilterControllerTest do
 
     {:ok, filter} = Pleroma.Filter.create(query)
 
-    conn =
-      conn
-      |> assign(:user, user)
-      |> get("/api/v1/filters/#{filter.filter_id}")
+    conn = get(conn, "/api/v1/filters/#{filter.filter_id}")
 
     assert _response = json_response(conn, 200)
   end
 
-  test "update a filter", %{conn: conn} do
-    user = insert(:user)
+  test "update a filter" do
+    %{user: user, conn: conn} = oauth_access(["write:filters"])
 
     query = %Pleroma.Filter{
       user_id: user.id,
@@ -102,9 +93,7 @@ defmodule Pleroma.Web.MastodonAPI.FilterControllerTest do
     }
 
     conn =
-      conn
-      |> assign(:user, user)
-      |> put("/api/v1/filters/#{query.filter_id}", %{
+      put(conn, "/api/v1/filters/#{query.filter_id}", %{
         phrase: new.phrase,
         context: new.context
       })
@@ -114,8 +103,8 @@ defmodule Pleroma.Web.MastodonAPI.FilterControllerTest do
     assert response["context"] == new.context
   end
 
-  test "delete a filter", %{conn: conn} do
-    user = insert(:user)
+  test "delete a filter" do
+    %{user: user, conn: conn} = oauth_access(["write:filters"])
 
     query = %Pleroma.Filter{
       user_id: user.id,
@@ -126,10 +115,7 @@ defmodule Pleroma.Web.MastodonAPI.FilterControllerTest do
 
     {:ok, filter} = Pleroma.Filter.create(query)
 
-    conn =
-      conn
-      |> assign(:user, user)
-      |> delete("/api/v1/filters/#{filter.filter_id}")
+    conn = delete(conn, "/api/v1/filters/#{filter.filter_id}")
 
     assert response = json_response(conn, 200)
     assert response == %{}

test/web/mastodon_api/controllers/follow_request_controller_test.exs

@@ -11,8 +11,13 @@ defmodule Pleroma.Web.MastodonAPI.FollowRequestControllerTest do
   import Pleroma.Factory
 
   describe "locked accounts" do
-    test "/api/v1/follow_requests works" do
+    setup do
       user = insert(:user, locked: true)
+      %{conn: conn} = oauth_access(["follow"], user: user)
+      %{user: user, conn: conn}
+    end
+
+    test "/api/v1/follow_requests works", %{user: user, conn: conn} do
       other_user = insert(:user)
 
       {:ok, _activity} = ActivityPub.follow(other_user, user)
@@ -20,17 +25,13 @@ defmodule Pleroma.Web.MastodonAPI.FollowRequestControllerTest do
 
       assert User.following?(other_user, user) == false
 
-      conn =
-        build_conn()
-        |> assign(:user, user)
-        |> get("/api/v1/follow_requests")
+      conn = get(conn, "/api/v1/follow_requests")
 
       assert [relationship] = json_response(conn, 200)
       assert to_string(other_user.id) == relationship["id"]
     end
 
-    test "/api/v1/follow_requests/:id/authorize works" do
-      user = insert(:user, locked: true)
+    test "/api/v1/follow_requests/:id/authorize works", %{user: user, conn: conn} do
       other_user = insert(:user)
 
       {:ok, _activity} = ActivityPub.follow(other_user, user)
@@ -41,10 +42,7 @@ defmodule Pleroma.Web.MastodonAPI.FollowRequestControllerTest do
 
       assert User.following?(other_user, user) == false
 
-      conn =
-        build_conn()
-        |> assign(:user, user)
-        |> post("/api/v1/follow_requests/#{other_user.id}/authorize")
+      conn = post(conn, "/api/v1/follow_requests/#{other_user.id}/authorize")
 
       assert relationship = json_response(conn, 200)
       assert to_string(other_user.id) == relationship["id"]
@@ -55,18 +53,14 @@ defmodule Pleroma.Web.MastodonAPI.FollowRequestControllerTest do
       assert User.following?(other_user, user) == true
     end
 
-    test "/api/v1/follow_requests/:id/reject works" do
-      user = insert(:user, locked: true)
+    test "/api/v1/follow_requests/:id/reject works", %{user: user, conn: conn} do
       other_user = insert(:user)
 
       {:ok, _activity} = ActivityPub.follow(other_user, user)
 
       user = User.get_cached_by_id(user.id)
 
-      conn =
-        build_conn()
-        |> assign(:user, user)
-        |> post("/api/v1/follow_requests/#{other_user.id}/reject")
+      conn = post(conn, "/api/v1/follow_requests/#{other_user.id}/reject")
 
       assert relationship = json_response(conn, 200)
       assert to_string(other_user.id) == relationship["id"]

test/web/mastodon_api/controllers/list_controller_test.exs

@@ -9,44 +9,35 @@ defmodule Pleroma.Web.MastodonAPI.ListControllerTest do
 
   import Pleroma.Factory
 
-  test "creating a list", %{conn: conn} do
-    user = insert(:user)
+  test "creating a list" do
+    %{conn: conn} = oauth_access(["write:lists"])
 
-    conn =
-      conn
-      |> assign(:user, user)
-      |> post("/api/v1/lists", %{"title" => "cuties"})
+    conn = post(conn, "/api/v1/lists", %{"title" => "cuties"})
 
     assert %{"title" => title} = json_response(conn, 200)
     assert title == "cuties"
   end
 
-  test "renders error for invalid params", %{conn: conn} do
-    user = insert(:user)
+  test "renders error for invalid params" do
+    %{conn: conn} = oauth_access(["write:lists"])
 
-    conn =
-      conn
-      |> assign(:user, user)
-      |> post("/api/v1/lists", %{"title" => nil})
+    conn = post(conn, "/api/v1/lists", %{"title" => nil})
 
     assert %{"error" => "can't be blank"} == json_response(conn, :unprocessable_entity)
   end
 
-  test "listing a user's lists", %{conn: conn} do
-    user = insert(:user)
+  test "listing a user's lists" do
+    %{conn: conn} = oauth_access(["read:lists", "write:lists"])
 
     conn
-    |> assign(:user, user)
     |> post("/api/v1/lists", %{"title" => "cuties"})
+    |> json_response(:ok)
 
     conn
-    |> assign(:user, user)
     |> post("/api/v1/lists", %{"title" => "cofe"})
+    |> json_response(:ok)
 
-    conn =
-      conn
-      |> assign(:user, user)
-      |> get("/api/v1/lists")
+    conn = get(conn, "/api/v1/lists")
 
     assert [
              %{"id" => _, "title" => "cofe"},
@@ -54,41 +45,35 @@ defmodule Pleroma.Web.MastodonAPI.ListControllerTest do
            ] = json_response(conn, :ok)
   end
 
-  test "adding users to a list", %{conn: conn} do
-    user = insert(:user)
+  test "adding users to a list" do
+    %{user: user, conn: conn} = oauth_access(["write:lists"])
     other_user = insert(:user)
     {:ok, list} = Pleroma.List.create("name", user)
 
-    conn =
-      conn
-      |> assign(:user, user)
-      |> post("/api/v1/lists/#{list.id}/accounts", %{"account_ids" => [other_user.id]})
+    conn = post(conn, "/api/v1/lists/#{list.id}/accounts", %{"account_ids" => [other_user.id]})
 
     assert %{} == json_response(conn, 200)
     %Pleroma.List{following: following} = Pleroma.List.get(list.id, user)
     assert following == [other_user.follower_address]
   end
 
-  test "removing users from a list", %{conn: conn} do
-    user = insert(:user)
+  test "removing users from a list" do
+    %{user: user, conn: conn} = oauth_access(["write:lists"])
     other_user = insert(:user)
     third_user = insert(:user)
     {:ok, list} = Pleroma.List.create("name", user)
     {:ok, list} = Pleroma.List.follow(list, other_user)
     {:ok, list} = Pleroma.List.follow(list, third_user)
 
-    conn =
-      conn
-      |> assign(:user, user)
-      |> delete("/api/v1/lists/#{list.id}/accounts", %{"account_ids" => [other_user.id]})
+    conn = delete(conn, "/api/v1/lists/#{list.id}/accounts", %{"account_ids" => [other_user.id]})
 
     assert %{} == json_response(conn, 200)
     %Pleroma.List{following: following} = Pleroma.List.get(list.id, user)
     assert following == [third_user.follower_address]
   end
 
-  test "listing users in a list", %{conn: conn} do
-    user = insert(:user)
+  test "listing users in a list" do
+    %{user: user, conn: conn} = oauth_access(["read:lists"])
     other_user = insert(:user)
     {:ok, list} = Pleroma.List.create("name", user)
     {:ok, list} = Pleroma.List.follow(list, other_user)
@@ -102,8 +87,8 @@ defmodule Pleroma.Web.MastodonAPI.ListControllerTest do
     assert id == to_string(other_user.id)
   end
 
-  test "retrieving a list", %{conn: conn} do
-    user = insert(:user)
+  test "retrieving a list" do
+    %{user: user, conn: conn} = oauth_access(["read:lists"])
     {:ok, list} = Pleroma.List.create("name", user)
 
     conn =
@@ -115,32 +100,26 @@ defmodule Pleroma.Web.MastodonAPI.ListControllerTest do
     assert id == to_string(list.id)
   end
 
-  test "renders 404 if list is not found", %{conn: conn} do
-    user = insert(:user)
+  test "renders 404 if list is not found" do
+    %{conn: conn} = oauth_access(["read:lists"])
 
-    conn =
-      conn
-      |> assign(:user, user)
-      |> get("/api/v1/lists/666")
+    conn = get(conn, "/api/v1/lists/666")
 
     assert %{"error" => "List not found"} = json_response(conn, :not_found)
   end
 
-  test "renaming a list", %{conn: conn} do
-    user = insert(:user)
+  test "renaming a list" do
+    %{user: user, conn: conn} = oauth_access(["write:lists"])
     {:ok, list} = Pleroma.List.create("name", user)
 
-    conn =
-      conn
-      |> assign(:user, user)
-      |> put("/api/v1/lists/#{list.id}", %{"title" => "newname"})
+    conn = put(conn, "/api/v1/lists/#{list.id}", %{"title" => "newname"})
 
     assert %{"title" => name} = json_response(conn, 200)
     assert name == "newname"
   end
 
-  test "validates title when renaming a list", %{conn: conn} do
-    user = insert(:user)
+  test "validates title when renaming a list" do
+    %{user: user, conn: conn} = oauth_access(["write:lists"])
     {:ok, list} = Pleroma.List.create("name", user)
 
     conn =
@@ -151,14 +130,11 @@ defmodule Pleroma.Web.MastodonAPI.ListControllerTest do
     assert %{"error" => "can't be blank"} == json_response(conn, :unprocessable_entity)
   end
 
-  test "deleting a list", %{conn: conn} do
-    user = insert(:user)
+  test "deleting a list" do
+    %{user: user, conn: conn} = oauth_access(["write:lists"])
     {:ok, list} = Pleroma.List.create("name", user)
 
-    conn =
-      conn
-      |> assign(:user, user)
-      |> delete("/api/v1/lists/#{list.id}")
+    conn = delete(conn, "/api/v1/lists/#{list.id}")
 
     assert %{} = json_response(conn, 200)
     assert is_nil(Repo.get(Pleroma.List, list.id))

test/web/mastodon_api/controllers/media_controller_test.exs

@@ -9,23 +9,17 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do
   alias Pleroma.User
   alias Pleroma.Web.ActivityPub.ActivityPub
 
-  import Pleroma.Factory
+  setup do: oauth_access(["write:media"])
 
   describe "media upload" do
     setup do
-      user = insert(:user)
-
-      conn =
-        build_conn()
-        |> assign(:user, user)
-
       image = %Plug.Upload{
         content_type: "image/jpg",
         path: Path.absname("test/fixtures/image.jpg"),
         filename: "an_image.jpg"
       }
 
-      [conn: conn, image: image]
+      [image: image]
     end
 
     clear_config([:media_proxy])
@@ -49,9 +43,7 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do
   end
 
   describe "PUT /api/v1/media/:id" do
-    setup do
-      actor = insert(:user)
-
+    setup %{user: actor} do
       file = %Plug.Upload{
         content_type: "image/jpg",
         path: Path.absname("test/fixtures/image.jpg"),
@@ -65,13 +57,12 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do
           description: "test-m"
         )
 
-      [actor: actor, object: object]
+      [object: object]
     end
 
-    test "updates name of media", %{conn: conn, actor: actor, object: object} do
+    test "updates name of media", %{conn: conn, object: object} do
       media =
         conn
-        |> assign(:user, actor)
         |> put("/api/v1/media/#{object.id}", %{"description" => "test-media"})
         |> json_response(:ok)
 
@@ -79,10 +70,9 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do
       assert refresh_record(object).data["name"] == "test-media"
     end
 
-    test "returns error wheb request is bad", %{conn: conn, actor: actor, object: object} do
+    test "returns error when request is bad", %{conn: conn, object: object} do
       media =
         conn
-        |> assign(:user, actor)
         |> put("/api/v1/media/#{object.id}", %{})
         |> json_response(400)
 

test/web/mastodon_api/controllers/notification_controller_test.exs

@@ -12,8 +12,8 @@ defmodule Pleroma.Web.MastodonAPI.NotificationControllerTest do
 
   import Pleroma.Factory
 
-  test "list of notifications", %{conn: conn} do
-    user = insert(:user)
+  test "list of notifications" do
+    %{user: user, conn: conn} = oauth_access(["read:notifications"])
     other_user = insert(:user)
 
     {:ok, activity} = CommonAPI.post(other_user, %{"status" => "hi @#{user.nickname}"})
@@ -34,18 +34,15 @@ defmodule Pleroma.Web.MastodonAPI.NotificationControllerTest do
     assert response == expected_response
   end
 
-  test "getting a single notification", %{conn: conn} do
-    user = insert(:user)
+  test "getting a single notification" do
+    %{user: user, conn: conn} = oauth_access(["read:notifications"])
     other_user = insert(:user)
 
     {:ok, activity} = CommonAPI.post(other_user, %{"status" => "hi @#{user.nickname}"})
 
     {:ok, [notification]} = Notification.create_notifications(activity)
 
-    conn =
-      conn
-      |> assign(:user, user)
-      |> get("/api/v1/notifications/#{notification.id}")
+    conn = get(conn, "/api/v1/notifications/#{notification.id}")
 
     expected_response =
       "hi <span class=\"h-card\"><a data-user=\"#{user.id}\" class=\"u-url mention\" href=\"#{
@@ -56,8 +53,8 @@ defmodule Pleroma.Web.MastodonAPI.NotificationControllerTest do
     assert response == expected_response
   end
 
-  test "dismissing a single notification", %{conn: conn} do
-    user = insert(:user)
+  test "dismissing a single notification" do
+    %{user: user, conn: conn} = oauth_access(["write:notifications"])
     other_user = insert(:user)
 
     {:ok, activity} = CommonAPI.post(other_user, %{"status" => "hi @#{user.nickname}"})
@@ -72,32 +69,26 @@ defmodule Pleroma.Web.MastodonAPI.NotificationControllerTest do
     assert %{} = json_response(conn, 200)
   end
 
-  test "clearing all notifications", %{conn: conn} do
-    user = insert(:user)
+  test "clearing all notifications" do
+    %{user: user, conn: conn} = oauth_access(["write:notifications", "read:notifications"])
     other_user = insert(:user)
 
     {:ok, activity} = CommonAPI.post(other_user, %{"status" => "hi @#{user.nickname}"})
 
     {:ok, [_notification]} = Notification.create_notifications(activity)
 
-    conn =
-      conn
-      |> assign(:user, user)
-      |> post("/api/v1/notifications/clear")
+    ret_conn = post(conn, "/api/v1/notifications/clear")
 
-    assert %{} = json_response(conn, 200)
+    assert %{} = json_response(ret_conn, 200)
 
-    conn =
-      build_conn()
-      |> assign(:user, user)
-      |> get("/api/v1/notifications")
+    ret_conn = get(conn, "/api/v1/notifications")
 
-    assert all = json_response(conn, 200)
+    assert all = json_response(ret_conn, 200)
     assert all == []
   end
 
-  test "paginates notifications using min_id, since_id, max_id, and limit", %{conn: conn} do
-    user = insert(:user)
+  test "paginates notifications using min_id, since_id, max_id, and limit" do
+    %{user: user, conn: conn} = oauth_access(["read:notifications"])
     other_user = insert(:user)
 
     {:ok, activity1} = CommonAPI.post(other_user, %{"status" => "hi @#{user.nickname}"})
@@ -138,8 +129,8 @@ defmodule Pleroma.Web.MastodonAPI.NotificationControllerTest do
   end
 
   describe "exclude_visibilities" do
-    test "filters notifications for mentions", %{conn: conn} do
-      user = insert(:user)
+    test "filters notifications for mentions" do
+      %{user: user, conn: conn} = oauth_access(["read:notifications"])
       other_user = insert(:user)
 
       {:ok, public_activity} =
@@ -154,8 +145,6 @@ defmodule Pleroma.Web.MastodonAPI.NotificationControllerTest do
       {:ok, private_activity} =
         CommonAPI.post(other_user, %{"status" => "@#{user.nickname}", "visibility" => "private"})
 
-      conn = assign(conn, :user, user)
-
       conn_res =
         get(conn, "/api/v1/notifications", %{
           exclude_visibilities: ["public", "unlisted", "private"]
@@ -189,9 +178,9 @@ defmodule Pleroma.Web.MastodonAPI.NotificationControllerTest do
       assert id == public_activity.id
     end
 
-    test "filters notifications for Like activities", %{conn: conn} do
+    test "filters notifications for Like activities" do
       user = insert(:user)
-      other_user = insert(:user)
+      %{user: other_user, conn: conn} = oauth_access(["read:notifications"])
 
       {:ok, public_activity} =
         CommonAPI.post(other_user, %{"status" => ".", "visibility" => "public"})
@@ -212,7 +201,6 @@ defmodule Pleroma.Web.MastodonAPI.NotificationControllerTest do
 
       activity_ids =
         conn
-        |> assign(:user, other_user)
         |> get("/api/v1/notifications", %{exclude_visibilities: ["direct"]})
         |> json_response(200)
         |> Enum.map(& &1["status"]["id"])
@@ -224,7 +212,6 @@ defmodule Pleroma.Web.MastodonAPI.NotificationControllerTest do
 
       activity_ids =
         conn
-        |> assign(:user, other_user)
         |> get("/api/v1/notifications", %{exclude_visibilities: ["unlisted"]})
         |> json_response(200)
         |> Enum.map(& &1["status"]["id"])
@@ -236,7 +223,6 @@ defmodule Pleroma.Web.MastodonAPI.NotificationControllerTest do
 
       activity_ids =
         conn
-        |> assign(:user, other_user)
         |> get("/api/v1/notifications", %{exclude_visibilities: ["private"]})
         |> json_response(200)
         |> Enum.map(& &1["status"]["id"])
@@ -248,7 +234,6 @@ defmodule Pleroma.Web.MastodonAPI.NotificationControllerTest do
 
       activity_ids =
         conn
-        |> assign(:user, other_user)
         |> get("/api/v1/notifications", %{exclude_visibilities: ["public"]})
         |> json_response(200)
         |> Enum.map(& &1["status"]["id"])
@@ -259,9 +244,9 @@ defmodule Pleroma.Web.MastodonAPI.NotificationControllerTest do
       assert direct_activity.id in activity_ids
     end
 
-    test "filters notifications for Announce activities", %{conn: conn} do
+    test "filters notifications for Announce activities" do
       user = insert(:user)
-      other_user = insert(:user)
+      %{user: other_user, conn: conn} = oauth_access(["read:notifications"])
 
       {:ok, public_activity} =
         CommonAPI.post(other_user, %{"status" => ".", "visibility" => "public"})
@@ -274,7 +259,6 @@ defmodule Pleroma.Web.MastodonAPI.NotificationControllerTest do
 
       activity_ids =
         conn
-        |> assign(:user, other_user)
         |> get("/api/v1/notifications", %{exclude_visibilities: ["unlisted"]})
         |> json_response(200)
         |> Enum.map(& &1["status"]["id"])
@@ -284,8 +268,8 @@ defmodule Pleroma.Web.MastodonAPI.NotificationControllerTest do
     end
   end
 
-  test "filters notifications using exclude_types", %{conn: conn} do
-    user = insert(:user)
+  test "filters notifications using exclude_types" do
+    %{user: user, conn: conn} = oauth_access(["read:notifications"])
     other_user = insert(:user)
 
     {:ok, mention_activity} = CommonAPI.post(other_user, %{"status" => "hey @#{user.nickname}"})
@@ -299,8 +283,6 @@ defmodule Pleroma.Web.MastodonAPI.NotificationControllerTest do
     reblog_notification_id = get_notification_id_by_activity(reblog_activity)
     follow_notification_id = get_notification_id_by_activity(follow_activity)
 
-    conn = assign(conn, :user, user)
-
     conn_res =
       get(conn, "/api/v1/notifications", %{exclude_types: ["mention", "favourite", "reblog"]})
 
@@ -322,8 +304,8 @@ defmodule Pleroma.Web.MastodonAPI.NotificationControllerTest do
     assert [%{"id" => ^reblog_notification_id}] = json_response(conn_res, 200)
   end
 
-  test "destroy multiple", %{conn: conn} do
-    user = insert(:user)
+  test "destroy multiple" do
+    %{user: user, conn: conn} = oauth_access(["read:notifications", "write:notifications"])
     other_user = insert(:user)
 
     {:ok, activity1} = CommonAPI.post(other_user, %{"status" => "hi @#{user.nickname}"})
@@ -336,8 +318,6 @@ defmodule Pleroma.Web.MastodonAPI.NotificationControllerTest do
     notification3_id = get_notification_id_by_activity(activity3)
     notification4_id = get_notification_id_by_activity(activity4)
 
-    conn = assign(conn, :user, user)
-
     result =
       conn
       |> get("/api/v1/notifications")
@@ -348,6 +328,7 @@ defmodule Pleroma.Web.MastodonAPI.NotificationControllerTest do
     conn2 =
       conn
       |> assign(:user, other_user)
+      |> assign(:token, insert(:oauth_token, user: other_user, scopes: ["read:notifications"]))
 
     result =
       conn2
@@ -372,97 +353,110 @@ defmodule Pleroma.Web.MastodonAPI.NotificationControllerTest do
     assert [%{"id" => ^notification4_id}, %{"id" => ^notification3_id}] = result
   end
 
-  test "doesn't see notifications after muting user with notifications", %{conn: conn} do
-    user = insert(:user)
+  test "doesn't see notifications after muting user with notifications" do
+    %{user: user, conn: conn} = oauth_access(["read:notifications"])
     user2 = insert(:user)
 
     {:ok, _, _, _} = CommonAPI.follow(user, user2)
     {:ok, _} = CommonAPI.post(user2, %{"status" => "hey @#{user.nickname}"})
 
-    conn = assign(conn, :user, user)
+    ret_conn = get(conn, "/api/v1/notifications")
 
-    conn = get(conn, "/api/v1/notifications")
-
-    assert length(json_response(conn, 200)) == 1
+    assert length(json_response(ret_conn, 200)) == 1
 
     {:ok, _user_relationships} = User.mute(user, user2)
 
-    conn = assign(build_conn(), :user, user)
     conn = get(conn, "/api/v1/notifications")
 
     assert json_response(conn, 200) == []
   end
 
-  test "see notifications after muting user without notifications", %{conn: conn} do
-    user = insert(:user)
+  test "see notifications after muting user without notifications" do
+    %{user: user, conn: conn} = oauth_access(["read:notifications"])
     user2 = insert(:user)
 
     {:ok, _, _, _} = CommonAPI.follow(user, user2)
     {:ok, _} = CommonAPI.post(user2, %{"status" => "hey @#{user.nickname}"})
 
-    conn = assign(conn, :user, user)
+    ret_conn = get(conn, "/api/v1/notifications")
 
-    conn = get(conn, "/api/v1/notifications")
-
-    assert length(json_response(conn, 200)) == 1
+    assert length(json_response(ret_conn, 200)) == 1
 
     {:ok, _user_relationships} = User.mute(user, user2, false)
 
-    conn = assign(build_conn(), :user, user)
     conn = get(conn, "/api/v1/notifications")
 
     assert length(json_response(conn, 200)) == 1
   end
 
-  test "see notifications after muting user with notifications and with_muted parameter", %{
-    conn: conn
-  } do
-    user = insert(:user)
+  test "see notifications after muting user with notifications and with_muted parameter" do
+    %{user: user, conn: conn} = oauth_access(["read:notifications"])
     user2 = insert(:user)
 
     {:ok, _, _, _} = CommonAPI.follow(user, user2)
     {:ok, _} = CommonAPI.post(user2, %{"status" => "hey @#{user.nickname}"})
 
-    conn = assign(conn, :user, user)
+    ret_conn = get(conn, "/api/v1/notifications")
 
-    conn = get(conn, "/api/v1/notifications")
-
-    assert length(json_response(conn, 200)) == 1
+    assert length(json_response(ret_conn, 200)) == 1
 
     {:ok, _user_relationships} = User.mute(user, user2)
 
-    conn = assign(build_conn(), :user, user)
     conn = get(conn, "/api/v1/notifications", %{"with_muted" => "true"})
 
     assert length(json_response(conn, 200)) == 1
   end
 
-  test "see move notifications with `with_move` parameter", %{
-    conn: conn
-  } do
+  test "see move notifications with `with_move` parameter" do
     old_user = insert(:user)
     new_user = insert(:user, also_known_as: [old_user.ap_id])
-    follower = insert(:user)
+    %{user: follower, conn: conn} = oauth_access(["read:notifications"])
 
     User.follow(follower, old_user)
     Pleroma.Web.ActivityPub.ActivityPub.move(old_user, new_user)
     Pleroma.Tests.ObanHelpers.perform_all()
 
-    conn =
-      conn
-      |> assign(:user, follower)
-      |> get("/api/v1/notifications")
+    ret_conn = get(conn, "/api/v1/notifications")
 
-    assert json_response(conn, 200) == []
+    assert json_response(ret_conn, 200) == []
 
-    conn =
-      build_conn()
-      |> assign(:user, follower)
-      |> get("/api/v1/notifications", %{"with_move" => "true"})
+    conn = get(conn, "/api/v1/notifications", %{"with_move" => "true"})
 
     assert length(json_response(conn, 200)) == 1
   end
 
+  describe "link headers" do
+    test "preserves parameters in link headers" do
+      %{user: user, conn: conn} = oauth_access(["read:notifications"])
+      other_user = insert(:user)
+
+      {:ok, activity1} =
+        CommonAPI.post(other_user, %{
+          "status" => "hi @#{user.nickname}",
+          "visibility" => "public"
+        })
+
+      {:ok, activity2} =
+        CommonAPI.post(other_user, %{
+          "status" => "hi @#{user.nickname}",
+          "visibility" => "public"
+        })
+
+      notification1 = Repo.get_by(Notification, activity_id: activity1.id)
+      notification2 = Repo.get_by(Notification, activity_id: activity2.id)
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> get("/api/v1/notifications", %{media_only: true})
+
+      assert [link_header] = get_resp_header(conn, "link")
+      assert link_header =~ ~r/media_only=true/
+      assert link_header =~ ~r/min_id=#{notification2.id}/
+      assert link_header =~ ~r/max_id=#{notification1.id}/
+    end
+  end
+
   describe "from specified user" do
     test "account_id", %{conn: conn} do
       user = insert(:user)

test/web/mastodon_api/controllers/poll_controller_test.exs

@@ -11,9 +11,9 @@ defmodule Pleroma.Web.MastodonAPI.PollControllerTest do
   import Pleroma.Factory
 
   describe "GET /api/v1/polls/:id" do
-    test "returns poll entity for object id", %{conn: conn} do
-      user = insert(:user)
+    setup do: oauth_access(["read:statuses"])
 
+    test "returns poll entity for object id", %{user: user, conn: conn} do
       {:ok, activity} =
         CommonAPI.post(user, %{
           "status" => "Pleroma does",
@@ -22,10 +22,7 @@ defmodule Pleroma.Web.MastodonAPI.PollControllerTest do
 
       object = Object.normalize(activity)
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> get("/api/v1/polls/#{object.id}")
+      conn = get(conn, "/api/v1/polls/#{object.id}")
 
       response = json_response(conn, 200)
       id = to_string(object.id)
@@ -33,11 +30,10 @@ defmodule Pleroma.Web.MastodonAPI.PollControllerTest do
     end
 
     test "does not expose polls for private statuses", %{conn: conn} do
-      user = insert(:user)
       other_user = insert(:user)
 
       {:ok, activity} =
-        CommonAPI.post(user, %{
+        CommonAPI.post(other_user, %{
           "status" => "Pleroma does",
           "poll" => %{"options" => ["what Mastodon't", "n't what Mastodoes"], "expires_in" => 20},
           "visibility" => "private"
@@ -45,22 +41,20 @@ defmodule Pleroma.Web.MastodonAPI.PollControllerTest do
 
       object = Object.normalize(activity)
 
-      conn =
-        conn
-        |> assign(:user, other_user)
-        |> get("/api/v1/polls/#{object.id}")
+      conn = get(conn, "/api/v1/polls/#{object.id}")
 
       assert json_response(conn, 404)
     end
   end
 
   describe "POST /api/v1/polls/:id/votes" do
+    setup do: oauth_access(["write:statuses"])
+
     test "votes are added to the poll", %{conn: conn} do
-      user = insert(:user)
       other_user = insert(:user)
 
       {:ok, activity} =
-        CommonAPI.post(user, %{
+        CommonAPI.post(other_user, %{
           "status" => "A very delicious sandwich",
           "poll" => %{
             "options" => ["Lettuce", "Grilled Bacon", "Tomato"],
@@ -71,10 +65,7 @@ defmodule Pleroma.Web.MastodonAPI.PollControllerTest do
 
       object = Object.normalize(activity)
 
-      conn =
-        conn
-        |> assign(:user, other_user)
-        |> post("/api/v1/polls/#{object.id}/votes", %{"choices" => [0, 1, 2]})
+      conn = post(conn, "/api/v1/polls/#{object.id}/votes", %{"choices" => [0, 1, 2]})
 
       assert json_response(conn, 200)
       object = Object.get_by_id(object.id)
@@ -84,9 +75,7 @@ defmodule Pleroma.Web.MastodonAPI.PollControllerTest do
              end)
     end
 
-    test "author can't vote", %{conn: conn} do
-      user = insert(:user)
-
+    test "author can't vote", %{user: user, conn: conn} do
       {:ok, activity} =
         CommonAPI.post(user, %{
           "status" => "Am I cute?",
@@ -96,7 +85,6 @@ defmodule Pleroma.Web.MastodonAPI.PollControllerTest do
       object = Object.normalize(activity)
 
       assert conn
-             |> assign(:user, user)
              |> post("/api/v1/polls/#{object.id}/votes", %{"choices" => [1]})
              |> json_response(422) == %{"error" => "Poll's author can't vote"}
 
@@ -106,11 +94,10 @@ defmodule Pleroma.Web.MastodonAPI.PollControllerTest do
     end
 
     test "does not allow multiple choices on a single-choice question", %{conn: conn} do
-      user = insert(:user)
       other_user = insert(:user)
 
       {:ok, activity} =
-        CommonAPI.post(user, %{
+        CommonAPI.post(other_user, %{
           "status" => "The glass is",
           "poll" => %{"options" => ["half empty", "half full"], "expires_in" => 20}
         })
@@ -118,7 +105,6 @@ defmodule Pleroma.Web.MastodonAPI.PollControllerTest do
       object = Object.normalize(activity)
 
       assert conn
-             |> assign(:user, other_user)
              |> post("/api/v1/polls/#{object.id}/votes", %{"choices" => [0, 1]})
              |> json_response(422) == %{"error" => "Too many choices"}
 
@@ -130,42 +116,32 @@ defmodule Pleroma.Web.MastodonAPI.PollControllerTest do
     end
 
     test "does not allow choice index to be greater than options count", %{conn: conn} do
-      user = insert(:user)
       other_user = insert(:user)
 
       {:ok, activity} =
-        CommonAPI.post(user, %{
+        CommonAPI.post(other_user, %{
           "status" => "Am I cute?",
           "poll" => %{"options" => ["Yes", "No"], "expires_in" => 20}
         })
 
       object = Object.normalize(activity)
 
-      conn =
-        conn
-        |> assign(:user, other_user)
-        |> post("/api/v1/polls/#{object.id}/votes", %{"choices" => [2]})
+      conn = post(conn, "/api/v1/polls/#{object.id}/votes", %{"choices" => [2]})
 
       assert json_response(conn, 422) == %{"error" => "Invalid indices"}
     end
 
     test "returns 404 error when object is not exist", %{conn: conn} do
-      user = insert(:user)
-
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/polls/1/votes", %{"choices" => [0]})
+      conn = post(conn, "/api/v1/polls/1/votes", %{"choices" => [0]})
 
       assert json_response(conn, 404) == %{"error" => "Record not found"}
     end
 
     test "returns 404 when poll is private and not available for user", %{conn: conn} do
-      user = insert(:user)
       other_user = insert(:user)
 
       {:ok, activity} =
-        CommonAPI.post(user, %{
+        CommonAPI.post(other_user, %{
           "status" => "Am I cute?",
           "poll" => %{"options" => ["Yes", "No"], "expires_in" => 20},
           "visibility" => "private"
@@ -173,10 +149,7 @@ defmodule Pleroma.Web.MastodonAPI.PollControllerTest do
 
       object = Object.normalize(activity)
 
-      conn =
-        conn
-        |> assign(:user, other_user)
-        |> post("/api/v1/polls/#{object.id}/votes", %{"choices" => [0]})
+      conn = post(conn, "/api/v1/polls/#{object.id}/votes", %{"choices" => [0]})
 
       assert json_response(conn, 404) == %{"error" => "Record not found"}
     end

test/web/mastodon_api/controllers/report_controller_test.exs

@@ -9,32 +9,30 @@ defmodule Pleroma.Web.MastodonAPI.ReportControllerTest do
 
   import Pleroma.Factory
 
+  setup do: oauth_access(["write:reports"])
+
   setup do
-    reporter = insert(:user)
     target_user = insert(:user)
 
     {:ok, activity} = CommonAPI.post(target_user, %{"status" => "foobar"})
 
-    [reporter: reporter, target_user: target_user, activity: activity]
+    [target_user: target_user, activity: activity]
   end
 
-  test "submit a basic report", %{conn: conn, reporter: reporter, target_user: target_user} do
+  test "submit a basic report", %{conn: conn, target_user: target_user} do
     assert %{"action_taken" => false, "id" => _} =
              conn
-             |> assign(:user, reporter)
              |> post("/api/v1/reports", %{"account_id" => target_user.id})
              |> json_response(200)
   end
 
   test "submit a report with statuses and comment", %{
     conn: conn,
-    reporter: reporter,
     target_user: target_user,
     activity: activity
   } do
     assert %{"action_taken" => false, "id" => _} =
              conn
-             |> assign(:user, reporter)
              |> post("/api/v1/reports", %{
                "account_id" => target_user.id,
                "status_ids" => [activity.id],
@@ -46,19 +44,16 @@ defmodule Pleroma.Web.MastodonAPI.ReportControllerTest do
 
   test "account_id is required", %{
     conn: conn,
-    reporter: reporter,
     activity: activity
   } do
     assert %{"error" => "Valid `account_id` required"} =
              conn
-             |> assign(:user, reporter)
              |> post("/api/v1/reports", %{"status_ids" => [activity.id]})
              |> json_response(400)
   end
 
   test "comment must be up to the size specified in the config", %{
     conn: conn,
-    reporter: reporter,
     target_user: target_user
   } do
     max_size = Pleroma.Config.get([:instance, :max_report_comment_size], 1000)
@@ -68,20 +63,15 @@ defmodule Pleroma.Web.MastodonAPI.ReportControllerTest do
 
     assert ^error =
              conn
-             |> assign(:user, reporter)
              |> post("/api/v1/reports", %{"account_id" => target_user.id, "comment" => comment})
              |> json_response(400)
   end
 
   test "returns error when account is not exist", %{
     conn: conn,
-    reporter: reporter,
     activity: activity
   } do
-    conn =
-      conn
-      |> assign(:user, reporter)
-      |> post("/api/v1/reports", %{"status_ids" => [activity.id], "account_id" => "foo"})
+    conn = post(conn, "/api/v1/reports", %{"status_ids" => [activity.id], "account_id" => "foo"})
 
     assert json_response(conn, 400) == %{"error" => "Account not found"}
   end

test/web/mastodon_api/controllers/scheduled_activity_controller_test.exs

@@ -10,89 +10,69 @@ defmodule Pleroma.Web.MastodonAPI.ScheduledActivityControllerTest do
 
   import Pleroma.Factory
 
-  test "shows scheduled activities", %{conn: conn} do
-    user = insert(:user)
+  test "shows scheduled activities" do
+    %{user: user, conn: conn} = oauth_access(["read:statuses"])
+
     scheduled_activity_id1 = insert(:scheduled_activity, user: user).id |> to_string()
     scheduled_activity_id2 = insert(:scheduled_activity, user: user).id |> to_string()
     scheduled_activity_id3 = insert(:scheduled_activity, user: user).id |> to_string()
     scheduled_activity_id4 = insert(:scheduled_activity, user: user).id |> to_string()
 
-    conn =
-      conn
-      |> assign(:user, user)
-
     # min_id
-    conn_res =
-      conn
-      |> get("/api/v1/scheduled_statuses?limit=2&min_id=#{scheduled_activity_id1}")
+    conn_res = get(conn, "/api/v1/scheduled_statuses?limit=2&min_id=#{scheduled_activity_id1}")
 
     result = json_response(conn_res, 200)
     assert [%{"id" => ^scheduled_activity_id3}, %{"id" => ^scheduled_activity_id2}] = result
 
     # since_id
-    conn_res =
-      conn
-      |> get("/api/v1/scheduled_statuses?limit=2&since_id=#{scheduled_activity_id1}")
+    conn_res = get(conn, "/api/v1/scheduled_statuses?limit=2&since_id=#{scheduled_activity_id1}")
 
     result = json_response(conn_res, 200)
     assert [%{"id" => ^scheduled_activity_id4}, %{"id" => ^scheduled_activity_id3}] = result
 
     # max_id
-    conn_res =
-      conn
-      |> get("/api/v1/scheduled_statuses?limit=2&max_id=#{scheduled_activity_id4}")
+    conn_res = get(conn, "/api/v1/scheduled_statuses?limit=2&max_id=#{scheduled_activity_id4}")
 
     result = json_response(conn_res, 200)
     assert [%{"id" => ^scheduled_activity_id3}, %{"id" => ^scheduled_activity_id2}] = result
   end
 
-  test "shows a scheduled activity", %{conn: conn} do
-    user = insert(:user)
+  test "shows a scheduled activity" do
+    %{user: user, conn: conn} = oauth_access(["read:statuses"])
     scheduled_activity = insert(:scheduled_activity, user: user)
 
-    res_conn =
-      conn
-      |> assign(:user, user)
-      |> get("/api/v1/scheduled_statuses/#{scheduled_activity.id}")
+    res_conn = get(conn, "/api/v1/scheduled_statuses/#{scheduled_activity.id}")
 
     assert %{"id" => scheduled_activity_id} = json_response(res_conn, 200)
     assert scheduled_activity_id == scheduled_activity.id |> to_string()
 
-    res_conn =
-      conn
-      |> assign(:user, user)
-      |> get("/api/v1/scheduled_statuses/404")
+    res_conn = get(conn, "/api/v1/scheduled_statuses/404")
 
     assert %{"error" => "Record not found"} = json_response(res_conn, 404)
   end
 
-  test "updates a scheduled activity", %{conn: conn} do
-    user = insert(:user)
+  test "updates a scheduled activity" do
+    %{user: user, conn: conn} = oauth_access(["write:statuses"])
     scheduled_activity = insert(:scheduled_activity, user: user)
 
     new_scheduled_at =
       NaiveDateTime.add(NaiveDateTime.utc_now(), :timer.minutes(120), :millisecond)
 
     res_conn =
-      conn
-      |> assign(:user, user)
-      |> put("/api/v1/scheduled_statuses/#{scheduled_activity.id}", %{
+      put(conn, "/api/v1/scheduled_statuses/#{scheduled_activity.id}", %{
         scheduled_at: new_scheduled_at
       })
 
     assert %{"scheduled_at" => expected_scheduled_at} = json_response(res_conn, 200)
     assert expected_scheduled_at == Pleroma.Web.CommonAPI.Utils.to_masto_date(new_scheduled_at)
 
-    res_conn =
-      conn
-      |> assign(:user, user)
-      |> put("/api/v1/scheduled_statuses/404", %{scheduled_at: new_scheduled_at})
+    res_conn = put(conn, "/api/v1/scheduled_statuses/404", %{scheduled_at: new_scheduled_at})
 
     assert %{"error" => "Record not found"} = json_response(res_conn, 404)
   end
 
-  test "deletes a scheduled activity", %{conn: conn} do
-    user = insert(:user)
+  test "deletes a scheduled activity" do
+    %{user: user, conn: conn} = oauth_access(["write:statuses"])
     scheduled_activity = insert(:scheduled_activity, user: user)
 
     res_conn =

test/web/mastodon_api/controllers/search_controller_test.exs

@@ -77,13 +77,11 @@ defmodule Pleroma.Web.MastodonAPI.SearchControllerTest do
 
   describe ".account_search" do
     test "account search", %{conn: conn} do
-      user = insert(:user)
       user_two = insert(:user, %{nickname: "shp@shitposter.club"})
       user_three = insert(:user, %{nickname: "shp@heldscal.la", name: "I love 2hu"})
 
       results =
         conn
-        |> assign(:user, user)
         |> get("/api/v1/accounts/search", %{"q" => "shp"})
         |> json_response(200)
 
@@ -94,7 +92,6 @@ defmodule Pleroma.Web.MastodonAPI.SearchControllerTest do
 
       results =
         conn
-        |> assign(:user, user)
         |> get("/api/v1/accounts/search", %{"q" => "2hu"})
         |> json_response(200)
 
@@ -104,11 +101,10 @@ defmodule Pleroma.Web.MastodonAPI.SearchControllerTest do
     end
 
     test "returns account if query contains a space", %{conn: conn} do
-      user = insert(:user, %{nickname: "shp@shitposter.club"})
+      insert(:user, %{nickname: "shp@shitposter.club"})
 
       results =
         conn
-        |> assign(:user, user)
         |> get("/api/v1/accounts/search", %{"q" => "shp@shitposter.club xxx "})
         |> json_response(200)
 
@@ -209,6 +205,7 @@ defmodule Pleroma.Web.MastodonAPI.SearchControllerTest do
       conn =
         conn
         |> assign(:user, user)
+        |> assign(:token, insert(:oauth_token, user: user, scopes: ["read"]))
         |> get("/api/v1/search", %{"q" => "mike@osada.macgirvin.com", "resolve" => "true"})
 
       assert results = json_response(conn, 200)

test/web/mastodon_api/controllers/status_controller_test.exs

@@ -23,24 +23,14 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
   clear_config([:instance, :allow_relay])
 
   describe "posting statuses" do
-    setup do
-      user = insert(:user)
-
-      conn =
-        build_conn()
-        |> assign(:user, user)
-
-      [conn: conn]
-    end
+    setup do: oauth_access(["write:statuses"])
 
     test "posting a status does not increment reblog_count when relaying", %{conn: conn} do
       Pleroma.Config.put([:instance, :federating], true)
       Pleroma.Config.get([:instance, :allow_relay], true)
-      user = insert(:user)
 
       response =
         conn
-        |> assign(:user, user)
         |> post("api/v1/statuses", %{
           "content_type" => "text/plain",
           "source" => "Pleroma FE",
@@ -54,7 +44,6 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
 
       response =
         conn
-        |> assign(:user, user)
         |> get("api/v1/statuses/#{response["id"]}", %{})
         |> json_response(200)
 
@@ -132,9 +121,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
                NaiveDateTime.to_iso8601(expiration.scheduled_at)
     end
 
-    test "posting an undefined status with an attachment", %{conn: conn} do
-      user = insert(:user)
-
+    test "posting an undefined status with an attachment", %{user: user, conn: conn} do
       file = %Plug.Upload{
         content_type: "image/jpg",
         path: Path.absname("test/fixtures/image.jpg"),
@@ -144,17 +131,14 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
       {:ok, upload} = ActivityPub.upload(file, actor: user.ap_id)
 
       conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses", %{
+        post(conn, "/api/v1/statuses", %{
           "media_ids" => [to_string(upload.id)]
         })
 
       assert json_response(conn, 200)
     end
 
-    test "replying to a status", %{conn: conn} do
-      user = insert(:user)
+    test "replying to a status", %{user: user, conn: conn} do
       {:ok, replied_to} = CommonAPI.post(user, %{"status" => "cofe"})
 
       conn =
@@ -169,8 +153,10 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
       assert Activity.get_in_reply_to_activity(activity).id == replied_to.id
     end
 
-    test "replying to a direct message with visibility other than direct", %{conn: conn} do
-      user = insert(:user)
+    test "replying to a direct message with visibility other than direct", %{
+      user: user,
+      conn: conn
+    } do
       {:ok, replied_to} = CommonAPI.post(user, %{"status" => "suya..", "visibility" => "direct"})
 
       Enum.each(["public", "private", "unlisted"], fn visibility ->
@@ -187,18 +173,14 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
     end
 
     test "posting a status with an invalid in_reply_to_id", %{conn: conn} do
-      conn =
-        conn
-        |> post("/api/v1/statuses", %{"status" => "xD", "in_reply_to_id" => ""})
+      conn = post(conn, "/api/v1/statuses", %{"status" => "xD", "in_reply_to_id" => ""})
 
       assert %{"content" => "xD", "id" => id} = json_response(conn, 200)
       assert Activity.get_by_id(id)
     end
 
     test "posting a sensitive status", %{conn: conn} do
-      conn =
-        conn
-        |> post("/api/v1/statuses", %{"status" => "cofe", "sensitive" => true})
+      conn = post(conn, "/api/v1/statuses", %{"status" => "cofe", "sensitive" => true})
 
       assert %{"content" => "cofe", "id" => id, "sensitive" => true} = json_response(conn, 200)
       assert Activity.get_by_id(id)
@@ -206,8 +188,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
 
     test "posting a fake status", %{conn: conn} do
       real_conn =
-        conn
-        |> post("/api/v1/statuses", %{
+        post(conn, "/api/v1/statuses", %{
           "status" =>
             "\"Tenshi Eating a Corndog\" is a much discussed concept on /jp/. The significance of it is disputed, so I will focus on one core concept: the symbolism behind it"
         })
@@ -226,8 +207,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
         |> Kernel.put_in(["pleroma", "conversation_id"], nil)
 
       fake_conn =
-        conn
-        |> post("/api/v1/statuses", %{
+        post(conn, "/api/v1/statuses", %{
           "status" =>
             "\"Tenshi Eating a Corndog\" is a much discussed concept on /jp/. The significance of it is disputed, so I will focus on one core concept: the symbolism behind it",
           "preview" => true
@@ -254,8 +234,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
       Config.put([:rich_media, :enabled], true)
 
       conn =
-        conn
-        |> post("/api/v1/statuses", %{
+        post(conn, "/api/v1/statuses", %{
           "status" => "https://example.com/ogp"
         })
 
@@ -267,9 +246,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
       user2 = insert(:user)
       content = "direct cofe @#{user2.nickname}"
 
-      conn =
-        conn
-        |> post("api/v1/statuses", %{"status" => content, "visibility" => "direct"})
+      conn = post(conn, "api/v1/statuses", %{"status" => content, "visibility" => "direct"})
 
       assert %{"id" => id} = response = json_response(conn, 200)
       assert response["visibility"] == "direct"
@@ -282,14 +259,13 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
   end
 
   describe "posting scheduled statuses" do
+    setup do: oauth_access(["write:statuses"])
+
     test "creates a scheduled activity", %{conn: conn} do
-      user = insert(:user)
       scheduled_at = NaiveDateTime.add(NaiveDateTime.utc_now(), :timer.minutes(120), :millisecond)
 
       conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses", %{
+        post(conn, "/api/v1/statuses", %{
           "status" => "scheduled",
           "scheduled_at" => scheduled_at
         })
@@ -299,8 +275,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
       assert [] == Repo.all(Activity)
     end
 
-    test "creates a scheduled activity with a media attachment", %{conn: conn} do
-      user = insert(:user)
+    test "creates a scheduled activity with a media attachment", %{user: user, conn: conn} do
       scheduled_at = NaiveDateTime.add(NaiveDateTime.utc_now(), :timer.minutes(120), :millisecond)
 
       file = %Plug.Upload{
@@ -312,9 +287,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
       {:ok, upload} = ActivityPub.upload(file, actor: user.ap_id)
 
       conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses", %{
+        post(conn, "/api/v1/statuses", %{
           "media_ids" => [to_string(upload.id)],
           "status" => "scheduled",
           "scheduled_at" => scheduled_at
@@ -326,15 +299,11 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
 
     test "skips the scheduling and creates the activity if scheduled_at is earlier than 5 minutes from now",
          %{conn: conn} do
-      user = insert(:user)
-
       scheduled_at =
         NaiveDateTime.add(NaiveDateTime.utc_now(), :timer.minutes(5) - 1, :millisecond)
 
       conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses", %{
+        post(conn, "/api/v1/statuses", %{
           "status" => "not scheduled",
           "scheduled_at" => scheduled_at
         })
@@ -343,9 +312,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
       assert [] == Repo.all(ScheduledActivity)
     end
 
-    test "returns error when daily user limit is exceeded", %{conn: conn} do
-      user = insert(:user)
-
+    test "returns error when daily user limit is exceeded", %{user: user, conn: conn} do
       today =
         NaiveDateTime.utc_now()
         |> NaiveDateTime.add(:timer.minutes(6), :millisecond)
@@ -355,17 +322,12 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
       {:ok, _} = ScheduledActivity.create(user, attrs)
       {:ok, _} = ScheduledActivity.create(user, attrs)
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses", %{"status" => "scheduled", "scheduled_at" => today})
+      conn = post(conn, "/api/v1/statuses", %{"status" => "scheduled", "scheduled_at" => today})
 
       assert %{"error" => "daily limit exceeded"} == json_response(conn, 422)
     end
 
-    test "returns error when total user limit is exceeded", %{conn: conn} do
-      user = insert(:user)
-
+    test "returns error when total user limit is exceeded", %{user: user, conn: conn} do
       today =
         NaiveDateTime.utc_now()
         |> NaiveDateTime.add(:timer.minutes(6), :millisecond)
@@ -382,23 +344,20 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
       {:ok, _} = ScheduledActivity.create(user, %{params: %{}, scheduled_at: tomorrow})
 
       conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses", %{"status" => "scheduled", "scheduled_at" => tomorrow})
+        post(conn, "/api/v1/statuses", %{"status" => "scheduled", "scheduled_at" => tomorrow})
 
       assert %{"error" => "total limit exceeded"} == json_response(conn, 422)
     end
   end
 
   describe "posting polls" do
+    setup do: oauth_access(["write:statuses"])
+
     test "posting a poll", %{conn: conn} do
-      user = insert(:user)
       time = NaiveDateTime.utc_now()
 
       conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses", %{
+        post(conn, "/api/v1/statuses", %{
           "status" => "Who is the #bestgrill?",
           "poll" => %{"options" => ["Rei", "Asuka", "Misato"], "expires_in" => 420}
         })
@@ -414,13 +373,10 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
     end
 
     test "option limit is enforced", %{conn: conn} do
-      user = insert(:user)
       limit = Config.get([:instance, :poll_limits, :max_options])
 
       conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses", %{
+        post(conn, "/api/v1/statuses", %{
           "status" => "desu~",
           "poll" => %{"options" => Enum.map(0..limit, fn _ -> "desu" end), "expires_in" => 1}
         })
@@ -430,13 +386,10 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
     end
 
     test "option character limit is enforced", %{conn: conn} do
-      user = insert(:user)
       limit = Config.get([:instance, :poll_limits, :max_option_chars])
 
       conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses", %{
+        post(conn, "/api/v1/statuses", %{
           "status" => "...",
           "poll" => %{
             "options" => [Enum.reduce(0..limit, "", fn _, acc -> acc <> "." end)],
@@ -449,13 +402,10 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
     end
 
     test "minimal date limit is enforced", %{conn: conn} do
-      user = insert(:user)
       limit = Config.get([:instance, :poll_limits, :min_expiration])
 
       conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses", %{
+        post(conn, "/api/v1/statuses", %{
           "status" => "imagine arbitrary limits",
           "poll" => %{
             "options" => ["this post was made by pleroma gang"],
@@ -468,13 +418,10 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
     end
 
     test "maximum date limit is enforced", %{conn: conn} do
-      user = insert(:user)
       limit = Config.get([:instance, :poll_limits, :max_expiration])
 
       conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses", %{
+        post(conn, "/api/v1/statuses", %{
           "status" => "imagine arbitrary limits",
           "poll" => %{
             "options" => ["this post was made by pleroma gang"],
@@ -487,19 +434,18 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
     end
   end
 
-  test "get a status", %{conn: conn} do
+  test "get a status" do
+    %{conn: conn} = oauth_access(["read:statuses"])
     activity = insert(:note_activity)
 
-    conn =
-      conn
-      |> get("/api/v1/statuses/#{activity.id}")
+    conn = get(conn, "/api/v1/statuses/#{activity.id}")
 
     assert %{"id" => id} = json_response(conn, 200)
     assert id == to_string(activity.id)
   end
 
-  test "get a direct status", %{conn: conn} do
-    user = insert(:user)
+  test "get a direct status" do
+    %{user: user, conn: conn} = oauth_access(["read:statuses"])
     other_user = insert(:user)
 
     {:ok, activity} =
@@ -516,7 +462,8 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
     assert res["pleroma"]["direct_conversation_id"] == participation.id
   end
 
-  test "get statuses by IDs", %{conn: conn} do
+  test "get statuses by IDs" do
+    %{conn: conn} = oauth_access(["read:statuses"])
     %{id: id1} = insert(:note_activity)
     %{id: id2} = insert(:note_activity)
 
@@ -527,9 +474,9 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
   end
 
   describe "deleting a status" do
-    test "when you created it", %{conn: conn} do
-      activity = insert(:note_activity)
-      author = User.get_cached_by_ap_id(activity.data["actor"])
+    test "when you created it" do
+      %{user: author, conn: conn} = oauth_access(["write:statuses"])
+      activity = insert(:note_activity, user: author)
 
       conn =
         conn
@@ -541,14 +488,11 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
       refute Activity.get_by_id(activity.id)
     end
 
-    test "when you didn't create it", %{conn: conn} do
+    test "when you didn't create it" do
+      %{conn: conn} = oauth_access(["write:statuses"])
       activity = insert(:note_activity)
-      user = insert(:user)
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> delete("/api/v1/statuses/#{activity.id}")
+      conn = delete(conn, "/api/v1/statuses/#{activity.id}")
 
       assert %{"error" => _} = json_response(conn, 403)
 
@@ -564,6 +508,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
       res_conn =
         conn
         |> assign(:user, admin)
+        |> assign(:token, insert(:oauth_token, user: admin, scopes: ["write:statuses"]))
         |> delete("/api/v1/statuses/#{activity1.id}")
 
       assert %{} = json_response(res_conn, 200)
@@ -571,6 +516,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
       res_conn =
         conn
         |> assign(:user, moderator)
+        |> assign(:token, insert(:oauth_token, user: moderator, scopes: ["write:statuses"]))
         |> delete("/api/v1/statuses/#{activity2.id}")
 
       assert %{} = json_response(res_conn, 200)
@@ -581,14 +527,12 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
   end
 
   describe "reblogging" do
+    setup do: oauth_access(["write:statuses"])
+
     test "reblogs and returns the reblogged status", %{conn: conn} do
       activity = insert(:note_activity)
-      user = insert(:user)
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses/#{activity.id}/reblog")
+      conn = post(conn, "/api/v1/statuses/#{activity.id}/reblog")
 
       assert %{
                "reblog" => %{"id" => id, "reblogged" => true, "reblogs_count" => 1},
@@ -600,12 +544,8 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
 
     test "reblogs privately and returns the reblogged status", %{conn: conn} do
       activity = insert(:note_activity)
-      user = insert(:user)
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses/#{activity.id}/reblog", %{"visibility" => "private"})
+      conn = post(conn, "/api/v1/statuses/#{activity.id}/reblog", %{"visibility" => "private"})
 
       assert %{
                "reblog" => %{"id" => id, "reblogged" => true, "reblogs_count" => 1},
@@ -616,7 +556,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
       assert to_string(activity.id) == id
     end
 
-    test "reblogged status for another user", %{conn: conn} do
+    test "reblogged status for another user" do
       activity = insert(:note_activity)
       user1 = insert(:user)
       user2 = insert(:user)
@@ -627,8 +567,9 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
       {:ok, _, _object} = CommonAPI.repeat(activity.id, user2)
 
       conn_res =
-        conn
+        build_conn()
         |> assign(:user, user3)
+        |> assign(:token, insert(:oauth_token, user: user3, scopes: ["read:statuses"]))
         |> get("/api/v1/statuses/#{reblog_activity1.id}")
 
       assert %{
@@ -639,8 +580,9 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
              } = json_response(conn_res, 200)
 
       conn_res =
-        conn
+        build_conn()
         |> assign(:user, user2)
+        |> assign(:token, insert(:oauth_token, user: user2, scopes: ["read:statuses"]))
         |> get("/api/v1/statuses/#{reblog_activity1.id}")
 
       assert %{
@@ -654,28 +596,21 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
     end
 
     test "returns 400 error when activity is not exist", %{conn: conn} do
-      user = insert(:user)
-
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses/foo/reblog")
+      conn = post(conn, "/api/v1/statuses/foo/reblog")
 
       assert json_response(conn, 400) == %{"error" => "Could not repeat"}
     end
   end
 
   describe "unreblogging" do
-    test "unreblogs and returns the unreblogged status", %{conn: conn} do
+    setup do: oauth_access(["write:statuses"])
+
+    test "unreblogs and returns the unreblogged status", %{user: user, conn: conn} do
       activity = insert(:note_activity)
-      user = insert(:user)
 
       {:ok, _, _} = CommonAPI.repeat(activity.id, user)
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses/#{activity.id}/unreblog")
+      conn = post(conn, "/api/v1/statuses/#{activity.id}/unreblog")
 
       assert %{"id" => id, "reblogged" => false, "reblogs_count" => 0} = json_response(conn, 200)
 
@@ -683,26 +618,19 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
     end
 
     test "returns 400 error when activity is not exist", %{conn: conn} do
-      user = insert(:user)
-
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses/foo/unreblog")
+      conn = post(conn, "/api/v1/statuses/foo/unreblog")
 
       assert json_response(conn, 400) == %{"error" => "Could not unrepeat"}
     end
   end
 
   describe "favoriting" do
+    setup do: oauth_access(["write:favourites"])
+
     test "favs a status and returns it", %{conn: conn} do
       activity = insert(:note_activity)
-      user = insert(:user)
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses/#{activity.id}/favourite")
+      conn = post(conn, "/api/v1/statuses/#{activity.id}/favourite")
 
       assert %{"id" => id, "favourites_count" => 1, "favourited" => true} =
                json_response(conn, 200)
@@ -711,28 +639,21 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
     end
 
     test "returns 400 error for a wrong id", %{conn: conn} do
-      user = insert(:user)
-
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses/1/favourite")
+      conn = post(conn, "/api/v1/statuses/1/favourite")
 
       assert json_response(conn, 400) == %{"error" => "Could not favorite"}
     end
   end
 
   describe "unfavoriting" do
-    test "unfavorites a status and returns it", %{conn: conn} do
+    setup do: oauth_access(["write:favourites"])
+
+    test "unfavorites a status and returns it", %{user: user, conn: conn} do
       activity = insert(:note_activity)
-      user = insert(:user)
 
       {:ok, _, _} = CommonAPI.favorite(activity.id, user)
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses/#{activity.id}/unfavourite")
+      conn = post(conn, "/api/v1/statuses/#{activity.id}/unfavourite")
 
       assert %{"id" => id, "favourites_count" => 0, "favourited" => false} =
                json_response(conn, 200)
@@ -741,23 +662,19 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
     end
 
     test "returns 400 error for a wrong id", %{conn: conn} do
-      user = insert(:user)
-
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses/1/unfavourite")
+      conn = post(conn, "/api/v1/statuses/1/unfavourite")
 
       assert json_response(conn, 400) == %{"error" => "Could not unfavorite"}
     end
   end
 
   describe "pinned statuses" do
-    setup do
-      user = insert(:user)
+    setup do: oauth_access(["write:accounts"])
+
+    setup %{user: user} do
       {:ok, activity} = CommonAPI.post(user, %{"status" => "HI!!!"})
 
-      [user: user, activity: activity]
+      %{activity: activity}
     end
 
     clear_config([:instance, :max_pinned_statuses]) do
@@ -769,13 +686,11 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
 
       assert %{"id" => ^id_str, "pinned" => true} =
                conn
-               |> assign(:user, user)
                |> post("/api/v1/statuses/#{activity.id}/pin")
                |> json_response(200)
 
       assert [%{"id" => ^id_str, "pinned" => true}] =
                conn
-               |> assign(:user, user)
                |> get("/api/v1/accounts/#{user.id}/statuses?pinned=true")
                |> json_response(200)
     end
@@ -783,19 +698,16 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
     test "/pin: returns 400 error when activity is not public", %{conn: conn, user: user} do
       {:ok, dm} = CommonAPI.post(user, %{"status" => "test", "visibility" => "direct"})
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses/#{dm.id}/pin")
+      conn = post(conn, "/api/v1/statuses/#{dm.id}/pin")
 
       assert json_response(conn, 400) == %{"error" => "Could not pin"}
     end
 
     test "unpin status", %{conn: conn, user: user, activity: activity} do
       {:ok, _} = CommonAPI.pin(activity.id, user)
+      user = refresh_record(user)
 
       id_str = to_string(activity.id)
-      user = refresh_record(user)
 
       assert %{"id" => ^id_str, "pinned" => false} =
                conn
@@ -805,16 +717,12 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
 
       assert [] =
                conn
-               |> assign(:user, user)
                |> get("/api/v1/accounts/#{user.id}/statuses?pinned=true")
                |> json_response(200)
     end
 
-    test "/unpin: returns 400 error when activity is not exist", %{conn: conn, user: user} do
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses/1/unpin")
+    test "/unpin: returns 400 error when activity is not exist", %{conn: conn} do
+      conn = post(conn, "/api/v1/statuses/1/unpin")
 
       assert json_response(conn, 400) == %{"error" => "Could not unpin"}
     end
@@ -826,7 +734,6 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
 
       assert %{"id" => ^id_str_one, "pinned" => true} =
                conn
-               |> assign(:user, user)
                |> post("/api/v1/statuses/#{id_str_one}/pin")
                |> json_response(200)
 
@@ -844,8 +751,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
     setup do
       Config.put([:rich_media, :enabled], true)
 
-      user = insert(:user)
-      %{user: user}
+      oauth_access(["read:statuses"])
     end
 
     test "returns rich-media card", %{conn: conn, user: user} do
@@ -887,7 +793,6 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
 
       response_two =
         conn
-        |> assign(:user, user)
         |> get("/api/v1/statuses/#{activity.id}/card")
         |> json_response(200)
 
@@ -925,72 +830,55 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
   end
 
   test "bookmarks" do
-    user = insert(:user)
-    for_user = insert(:user)
+    %{conn: conn} = oauth_access(["write:bookmarks", "read:bookmarks"])
+    author = insert(:user)
 
     {:ok, activity1} =
-      CommonAPI.post(user, %{
+      CommonAPI.post(author, %{
         "status" => "heweoo?"
       })
 
     {:ok, activity2} =
-      CommonAPI.post(user, %{
+      CommonAPI.post(author, %{
         "status" => "heweoo!"
       })
 
-    response1 =
-      build_conn()
-      |> assign(:user, for_user)
-      |> post("/api/v1/statuses/#{activity1.id}/bookmark")
+    response1 = post(conn, "/api/v1/statuses/#{activity1.id}/bookmark")
 
     assert json_response(response1, 200)["bookmarked"] == true
 
-    response2 =
-      build_conn()
-      |> assign(:user, for_user)
-      |> post("/api/v1/statuses/#{activity2.id}/bookmark")
+    response2 = post(conn, "/api/v1/statuses/#{activity2.id}/bookmark")
 
     assert json_response(response2, 200)["bookmarked"] == true
 
-    bookmarks =
-      build_conn()
-      |> assign(:user, for_user)
-      |> get("/api/v1/bookmarks")
+    bookmarks = get(conn, "/api/v1/bookmarks")
 
     assert [json_response(response2, 200), json_response(response1, 200)] ==
              json_response(bookmarks, 200)
 
-    response1 =
-      build_conn()
-      |> assign(:user, for_user)
-      |> post("/api/v1/statuses/#{activity1.id}/unbookmark")
+    response1 = post(conn, "/api/v1/statuses/#{activity1.id}/unbookmark")
 
     assert json_response(response1, 200)["bookmarked"] == false
 
-    bookmarks =
-      build_conn()
-      |> assign(:user, for_user)
-      |> get("/api/v1/bookmarks")
+    bookmarks = get(conn, "/api/v1/bookmarks")
 
     assert [json_response(response2, 200)] == json_response(bookmarks, 200)
   end
 
   describe "conversation muting" do
+    setup do: oauth_access(["write:mutes"])
+
     setup do
       post_user = insert(:user)
-      user = insert(:user)
-
       {:ok, activity} = CommonAPI.post(post_user, %{"status" => "HIE"})
-
-      [user: user, activity: activity]
+      %{activity: activity}
     end
 
-    test "mute conversation", %{conn: conn, user: user, activity: activity} do
+    test "mute conversation", %{conn: conn, activity: activity} do
       id_str = to_string(activity.id)
 
       assert %{"id" => ^id_str, "muted" => true} =
                conn
-               |> assign(:user, user)
                |> post("/api/v1/statuses/#{activity.id}/mute")
                |> json_response(200)
     end
@@ -998,10 +886,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
     test "cannot mute already muted conversation", %{conn: conn, user: user, activity: activity} do
       {:ok, _} = CommonAPI.add_mute(user, activity)
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses/#{activity.id}/mute")
+      conn = post(conn, "/api/v1/statuses/#{activity.id}/mute")
 
       assert json_response(conn, 400) == %{"error" => "conversation is already muted"}
     end
@@ -1010,11 +895,10 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
       {:ok, _} = CommonAPI.add_mute(user, activity)
 
       id_str = to_string(activity.id)
-      user = refresh_record(user)
 
       assert %{"id" => ^id_str, "muted" => false} =
                conn
-               |> assign(:user, user)
+               # |> assign(:user, user)
                |> post("/api/v1/statuses/#{activity.id}/unmute")
                |> json_response(200)
     end
@@ -1031,6 +915,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
     conn1 =
       conn
       |> assign(:user, user2)
+      |> assign(:token, insert(:oauth_token, user: user2, scopes: ["write:statuses"]))
       |> post("/api/v1/statuses", %{"status" => "xD", "in_reply_to_id" => replied_to.id})
 
     assert %{"content" => "xD", "id" => id} = json_response(conn1, 200)
@@ -1044,6 +929,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
     conn2 =
       conn
       |> assign(:user, user3)
+      |> assign(:token, insert(:oauth_token, user: user3, scopes: ["write:statuses"]))
       |> post("/api/v1/statuses/#{activity.id}/reblog")
 
     assert %{"reblog" => %{"id" => id, "reblogged" => true, "reblogs_count" => 1}} =
@@ -1055,6 +941,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
     conn3 =
       conn
       |> assign(:user, user3)
+      |> assign(:token, insert(:oauth_token, user: user3, scopes: ["read:statuses"]))
       |> get("api/v1/timelines/home")
 
     [reblogged_activity] = json_response(conn3, 200)
@@ -1066,15 +953,12 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
   end
 
   describe "GET /api/v1/statuses/:id/favourited_by" do
-    setup do
-      user = insert(:user)
+    setup do: oauth_access(["read:accounts"])
+
+    setup %{user: user} do
       {:ok, activity} = CommonAPI.post(user, %{"status" => "test"})
 
-      conn =
-        build_conn()
-        |> assign(:user, user)
-
-      [conn: conn, activity: activity, user: user]
+      %{activity: activity}
     end
 
     test "returns users who have favorited the status", %{conn: conn, activity: activity} do
@@ -1114,20 +998,18 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
 
       response =
         conn
-        |> assign(:user, user)
         |> get("/api/v1/statuses/#{activity.id}/favourited_by")
         |> json_response(:ok)
 
       assert Enum.empty?(response)
     end
 
-    test "does not fail on an unauthenticated request", %{conn: conn, activity: activity} do
+    test "does not fail on an unauthenticated request", %{activity: activity} do
       other_user = insert(:user)
       {:ok, _, _} = CommonAPI.favorite(activity.id, other_user)
 
       response =
-        conn
-        |> assign(:user, nil)
+        build_conn()
         |> get("/api/v1/statuses/#{activity.id}/favourited_by")
         |> json_response(:ok)
 
@@ -1135,7 +1017,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
       assert id == other_user.id
     end
 
-    test "requires authentification for private posts", %{conn: conn, user: user} do
+    test "requires authentication for private posts", %{user: user} do
       other_user = insert(:user)
 
       {:ok, activity} =
@@ -1146,15 +1028,25 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
 
       {:ok, _, _} = CommonAPI.favorite(activity.id, other_user)
 
+      favourited_by_url = "/api/v1/statuses/#{activity.id}/favourited_by"
+
+      build_conn()
+      |> get(favourited_by_url)
+      |> json_response(404)
+
+      conn =
+        build_conn()
+        |> assign(:user, other_user)
+        |> assign(:token, insert(:oauth_token, user: other_user, scopes: ["read:accounts"]))
+
       conn
-      |> assign(:user, nil)
-      |> get("/api/v1/statuses/#{activity.id}/favourited_by")
+      |> assign(:token, nil)
+      |> get(favourited_by_url)
       |> json_response(404)
 
       response =
-        build_conn()
-        |> assign(:user, other_user)
-        |> get("/api/v1/statuses/#{activity.id}/favourited_by")
+        conn
+        |> get(favourited_by_url)
         |> json_response(200)
 
       [%{"id" => id}] = response
@@ -1163,15 +1055,12 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
   end
 
   describe "GET /api/v1/statuses/:id/reblogged_by" do
-    setup do
-      user = insert(:user)
+    setup do: oauth_access(["read:accounts"])
+
+    setup %{user: user} do
       {:ok, activity} = CommonAPI.post(user, %{"status" => "test"})
 
-      conn =
-        build_conn()
-        |> assign(:user, user)
-
-      [conn: conn, activity: activity, user: user]
+      %{activity: activity}
     end
 
     test "returns users who have reblogged the status", %{conn: conn, activity: activity} do
@@ -1211,7 +1100,6 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
 
       response =
         conn
-        |> assign(:user, user)
         |> get("/api/v1/statuses/#{activity.id}/reblogged_by")
         |> json_response(:ok)
 
@@ -1219,7 +1107,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
     end
 
     test "does not return users who have reblogged the status privately", %{
-      conn: %{assigns: %{user: user}} = conn,
+      conn: conn,
       activity: activity
     } do
       other_user = insert(:user)
@@ -1228,20 +1116,18 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
 
       response =
         conn
-        |> assign(:user, user)
         |> get("/api/v1/statuses/#{activity.id}/reblogged_by")
         |> json_response(:ok)
 
       assert Enum.empty?(response)
     end
 
-    test "does not fail on an unauthenticated request", %{conn: conn, activity: activity} do
+    test "does not fail on an unauthenticated request", %{activity: activity} do
       other_user = insert(:user)
       {:ok, _, _} = CommonAPI.repeat(activity.id, other_user)
 
       response =
-        conn
-        |> assign(:user, nil)
+        build_conn()
         |> get("/api/v1/statuses/#{activity.id}/reblogged_by")
         |> json_response(:ok)
 
@@ -1249,7 +1135,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
       assert id == other_user.id
     end
 
-    test "requires authentification for private posts", %{conn: conn, user: user} do
+    test "requires authentication for private posts", %{user: user} do
       other_user = insert(:user)
 
       {:ok, activity} =
@@ -1258,14 +1144,14 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
           "visibility" => "direct"
         })
 
-      conn
-      |> assign(:user, nil)
+      build_conn()
       |> get("/api/v1/statuses/#{activity.id}/reblogged_by")
       |> json_response(404)
 
       response =
         build_conn()
         |> assign(:user, other_user)
+        |> assign(:token, insert(:oauth_token, user: other_user, scopes: ["read:accounts"]))
         |> get("/api/v1/statuses/#{activity.id}/reblogged_by")
         |> json_response(200)
 
@@ -1284,7 +1170,6 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
 
     response =
       build_conn()
-      |> assign(:user, nil)
       |> get("/api/v1/statuses/#{id3}/context")
       |> json_response(:ok)
 
@@ -1294,8 +1179,8 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
            } = response
   end
 
-  test "returns the favorites of a user", %{conn: conn} do
-    user = insert(:user)
+  test "returns the favorites of a user" do
+    %{user: user, conn: conn} = oauth_access(["read:favourites"])
     other_user = insert(:user)
 
     {:ok, _} = CommonAPI.post(other_user, %{"status" => "bla"})
@@ -1303,10 +1188,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
 
     {:ok, _, _} = CommonAPI.favorite(activity.id, user)
 
-    first_conn =
-      conn
-      |> assign(:user, user)
-      |> get("/api/v1/favourites")
+    first_conn = get(conn, "/api/v1/favourites")
 
     assert [status] = json_response(first_conn, 200)
     assert status["id"] == to_string(activity.id)
@@ -1325,18 +1207,12 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
 
     last_like = status["id"]
 
-    second_conn =
-      conn
-      |> assign(:user, user)
-      |> get("/api/v1/favourites?since_id=#{last_like}")
+    second_conn = get(conn, "/api/v1/favourites?since_id=#{last_like}")
 
     assert [second_status] = json_response(second_conn, 200)
     assert second_status["id"] == to_string(second_activity.id)
 
-    third_conn =
-      conn
-      |> assign(:user, user)
-      |> get("/api/v1/favourites?limit=0")
+    third_conn = get(conn, "/api/v1/favourites?limit=0")
 
     assert [] = json_response(third_conn, 200)
   end

test/web/mastodon_api/controllers/suggestion_controller_test.exs

@@ -11,8 +11,9 @@ defmodule Pleroma.Web.MastodonAPI.SuggestionControllerTest do
   import Pleroma.Factory
   import Tesla.Mock
 
-  setup do
-    user = insert(:user)
+  setup do: oauth_access(["read"])
+
+  setup %{user: user} do
     other_user = insert(:user)
     host = Config.get([Pleroma.Web.Endpoint, :url, :host])
     url500 = "http://test500?#{host}&#{user.nickname}"
@@ -32,31 +33,29 @@ defmodule Pleroma.Web.MastodonAPI.SuggestionControllerTest do
         }
     end)
 
-    [user: user, other_user: other_user]
+    [other_user: other_user]
   end
 
   clear_config(:suggestions)
 
-  test "returns empty result when suggestions disabled", %{conn: conn, user: user} do
+  test "returns empty result when suggestions disabled", %{conn: conn} do
     Config.put([:suggestions, :enabled], false)
 
     res =
       conn
-      |> assign(:user, user)
       |> get("/api/v1/suggestions")
       |> json_response(200)
 
     assert res == []
   end
 
-  test "returns error", %{conn: conn, user: user} do
+  test "returns error", %{conn: conn} do
     Config.put([:suggestions, :enabled], true)
     Config.put([:suggestions, :third_party_engine], "http://test500?{{host}}&{{user}}")
 
     assert capture_log(fn ->
              res =
                conn
-               |> assign(:user, user)
                |> get("/api/v1/suggestions")
                |> json_response(500)
 
@@ -64,13 +63,12 @@ defmodule Pleroma.Web.MastodonAPI.SuggestionControllerTest do
            end) =~ "Could not retrieve suggestions"
   end
 
-  test "returns suggestions", %{conn: conn, user: user, other_user: other_user} do
+  test "returns suggestions", %{conn: conn, other_user: other_user} do
     Config.put([:suggestions, :enabled], true)
     Config.put([:suggestions, :third_party_engine], "http://test200?{{host}}&{{user}}")
 
     res =
       conn
-      |> assign(:user, user)
       |> get("/api/v1/suggestions")
       |> json_response(200)
 

test/web/mastodon_api/controllers/timeline_controller_test.exs

@@ -20,31 +20,25 @@ defmodule Pleroma.Web.MastodonAPI.TimelineControllerTest do
   end
 
   describe "home" do
-    test "the home timeline", %{conn: conn} do
-      user = insert(:user)
+    setup do: oauth_access(["read:statuses"])
+
+    test "the home timeline", %{user: user, conn: conn} do
       following = insert(:user)
 
       {:ok, _activity} = CommonAPI.post(following, %{"status" => "test"})
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> get("/api/v1/timelines/home")
+      ret_conn = get(conn, "/api/v1/timelines/home")
 
-      assert Enum.empty?(json_response(conn, :ok))
+      assert Enum.empty?(json_response(ret_conn, :ok))
 
-      {:ok, user} = User.follow(user, following)
+      {:ok, _user} = User.follow(user, following)
 
-      conn =
-        build_conn()
-        |> assign(:user, user)
-        |> get("/api/v1/timelines/home")
+      conn = get(conn, "/api/v1/timelines/home")
 
       assert [%{"content" => "test"}] = json_response(conn, :ok)
     end
 
-    test "the home timeline when the direct messages are excluded", %{conn: conn} do
-      user = insert(:user)
+    test "the home timeline when the direct messages are excluded", %{user: user, conn: conn} do
       {:ok, public_activity} = CommonAPI.post(user, %{"status" => ".", "visibility" => "public"})
       {:ok, direct_activity} = CommonAPI.post(user, %{"status" => ".", "visibility" => "direct"})
 
@@ -54,10 +48,7 @@ defmodule Pleroma.Web.MastodonAPI.TimelineControllerTest do
       {:ok, private_activity} =
         CommonAPI.post(user, %{"status" => ".", "visibility" => "private"})
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> get("/api/v1/timelines/home", %{"exclude_visibilities" => ["direct"]})
+      conn = get(conn, "/api/v1/timelines/home", %{"exclude_visibilities" => ["direct"]})
 
       assert status_ids = json_response(conn, :ok) |> Enum.map(& &1["id"])
       assert public_activity.id in status_ids
@@ -99,11 +90,7 @@ defmodule Pleroma.Web.MastodonAPI.TimelineControllerTest do
     end
 
     test "the public timeline includes only public statuses for an authenticated user" do
-      user = insert(:user)
-
-      conn =
-        build_conn()
-        |> assign(:user, user)
+      %{user: user, conn: conn} = oauth_access(["read:statuses"])
 
       {:ok, _activity} = CommonAPI.post(user, %{"status" => "test"})
       {:ok, _activity} = CommonAPI.post(user, %{"status" => "test", "visibility" => "private"})
@@ -134,11 +121,13 @@ defmodule Pleroma.Web.MastodonAPI.TimelineControllerTest do
           "visibility" => "private"
         })
 
-      # Only direct should be visible here
-      res_conn =
+      conn_user_two =
         conn
         |> assign(:user, user_two)
-        |> get("api/v1/timelines/direct")
+        |> assign(:token, insert(:oauth_token, user: user_two, scopes: ["read:statuses"]))
+
+      # Only direct should be visible here
+      res_conn = get(conn_user_two, "api/v1/timelines/direct")
 
       [status] = json_response(res_conn, :ok)
 
@@ -149,6 +138,7 @@ defmodule Pleroma.Web.MastodonAPI.TimelineControllerTest do
       res_conn =
         build_conn()
         |> assign(:user, user_one)
+        |> assign(:token, insert(:oauth_token, user: user_one, scopes: ["read:statuses"]))
         |> get("api/v1/timelines/direct")
 
       [status] = json_response(res_conn, :ok)
@@ -156,10 +146,7 @@ defmodule Pleroma.Web.MastodonAPI.TimelineControllerTest do
       assert %{"visibility" => "direct"} = status
 
       # Both should be visible here
-      res_conn =
-        conn
-        |> assign(:user, user_two)
-        |> get("api/v1/timelines/home")
+      res_conn = get(conn_user_two, "api/v1/timelines/home")
 
       [_s1, _s2] = json_response(res_conn, :ok)
 
@@ -172,28 +159,23 @@ defmodule Pleroma.Web.MastodonAPI.TimelineControllerTest do
           })
       end)
 
-      res_conn =
-        conn
-        |> assign(:user, user_two)
-        |> get("api/v1/timelines/direct")
+      res_conn = get(conn_user_two, "api/v1/timelines/direct")
 
       statuses = json_response(res_conn, :ok)
       assert length(statuses) == 20
 
       res_conn =
-        conn
-        |> assign(:user, user_two)
-        |> get("api/v1/timelines/direct", %{max_id: List.last(statuses)["id"]})
+        get(conn_user_two, "api/v1/timelines/direct", %{max_id: List.last(statuses)["id"]})
 
       [status] = json_response(res_conn, :ok)
 
       assert status["url"] != direct.data["id"]
     end
 
-    test "doesn't include DMs from blocked users", %{conn: conn} do
-      blocker = insert(:user)
+    test "doesn't include DMs from blocked users" do
+      %{user: blocker, conn: conn} = oauth_access(["read:statuses"])
       blocked = insert(:user)
-      user = insert(:user)
+      other_user = insert(:user)
       {:ok, _user_relationship} = User.block(blocker, blocked)
 
       {:ok, _blocked_direct} =
@@ -203,15 +185,12 @@ defmodule Pleroma.Web.MastodonAPI.TimelineControllerTest do
         })
 
       {:ok, direct} =
-        CommonAPI.post(user, %{
+        CommonAPI.post(other_user, %{
           "status" => "Hi @#{blocker.nickname}!",
           "visibility" => "direct"
         })
 
-      res_conn =
-        conn
-        |> assign(:user, user)
-        |> get("api/v1/timelines/direct")
+      res_conn = get(conn, "api/v1/timelines/direct")
 
       [status] = json_response(res_conn, :ok)
       assert status["id"] == direct.id
@@ -219,26 +198,26 @@ defmodule Pleroma.Web.MastodonAPI.TimelineControllerTest do
   end
 
   describe "list" do
-    test "list timeline", %{conn: conn} do
-      user = insert(:user)
+    setup do: oauth_access(["read:lists"])
+
+    test "list timeline", %{user: user, conn: conn} do
       other_user = insert(:user)
       {:ok, _activity_one} = CommonAPI.post(user, %{"status" => "Marisa is cute."})
       {:ok, activity_two} = CommonAPI.post(other_user, %{"status" => "Marisa is cute."})
       {:ok, list} = Pleroma.List.create("name", user)
       {:ok, list} = Pleroma.List.follow(list, other_user)
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> get("/api/v1/timelines/list/#{list.id}")
+      conn = get(conn, "/api/v1/timelines/list/#{list.id}")
 
       assert [%{"id" => id}] = json_response(conn, :ok)
 
       assert id == to_string(activity_two.id)
     end
 
-    test "list timeline does not leak non-public statuses for unfollowed users", %{conn: conn} do
-      user = insert(:user)
+    test "list timeline does not leak non-public statuses for unfollowed users", %{
+      user: user,
+      conn: conn
+    } do
       other_user = insert(:user)
       {:ok, activity_one} = CommonAPI.post(other_user, %{"status" => "Marisa is cute."})
 
@@ -251,10 +230,7 @@ defmodule Pleroma.Web.MastodonAPI.TimelineControllerTest do
       {:ok, list} = Pleroma.List.create("name", user)
       {:ok, list} = Pleroma.List.follow(list, other_user)
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> get("/api/v1/timelines/list/#{list.id}")
+      conn = get(conn, "/api/v1/timelines/list/#{list.id}")
 
       assert [%{"id" => id}] = json_response(conn, :ok)
 
@@ -263,6 +239,8 @@ defmodule Pleroma.Web.MastodonAPI.TimelineControllerTest do
   end
 
   describe "hashtag" do
+    setup do: oauth_access(["n/a"])
+
     @tag capture_log: true
     test "hashtag timeline", %{conn: conn} do
       following = insert(:user)

test/web/mastodon_api/mastodon_api_controller_test.exs

@@ -5,69 +5,9 @@
 defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
   use Pleroma.Web.ConnCase
 
-  alias Pleroma.Notification
-  alias Pleroma.Repo
-  alias Pleroma.Web.CommonAPI
-
-  import Pleroma.Factory
-  import Tesla.Mock
-
-  setup do
-    mock(fn env -> apply(HttpRequestMock, :request, [env]) end)
-    :ok
-  end
-
-  clear_config([:rich_media, :enabled])
-
-  test "unimplemented follow_requests, blocks, domain blocks" do
-    user = insert(:user)
-
-    ["blocks", "domain_blocks", "follow_requests"]
-    |> Enum.each(fn endpoint ->
-      conn =
-        build_conn()
-        |> assign(:user, user)
-        |> get("/api/v1/#{endpoint}")
-
-      assert [] = json_response(conn, 200)
-    end)
-  end
-
-  describe "link headers" do
-    test "preserves parameters in link headers", %{conn: conn} do
-      user = insert(:user)
-      other_user = insert(:user)
-
-      {:ok, activity1} =
-        CommonAPI.post(other_user, %{
-          "status" => "hi @#{user.nickname}",
-          "visibility" => "public"
-        })
-
-      {:ok, activity2} =
-        CommonAPI.post(other_user, %{
-          "status" => "hi @#{user.nickname}",
-          "visibility" => "public"
-        })
-
-      notification1 = Repo.get_by(Notification, activity_id: activity1.id)
-      notification2 = Repo.get_by(Notification, activity_id: activity2.id)
-
-      conn =
-        conn
-        |> assign(:user, user)
-        |> get("/api/v1/notifications", %{media_only: true})
-
-      assert [link_header] = get_resp_header(conn, "link")
-      assert link_header =~ ~r/media_only=true/
-      assert link_header =~ ~r/min_id=#{notification2.id}/
-      assert link_header =~ ~r/max_id=#{notification1.id}/
-    end
-  end
-
-  describe "empty_array, stubs for mastodon api" do
-    test "GET /api/v1/accounts/:id/identity_proofs", %{conn: conn} do
-      user = insert(:user)
+  describe "empty_array/2 (stubs)" do
+    test "GET /api/v1/accounts/:id/identity_proofs" do
+      %{user: user, conn: conn} = oauth_access(["n/a"])
 
       res =
         conn
@@ -78,12 +18,11 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
       assert res == []
     end
 
-    test "GET /api/v1/endorsements", %{conn: conn} do
-      user = insert(:user)
+    test "GET /api/v1/endorsements" do
+      %{conn: conn} = oauth_access(["read:accounts"])
 
       res =
         conn
-        |> assign(:user, user)
         |> get("/api/v1/endorsements")
         |> json_response(200)
 
@@ -91,11 +30,8 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
     end
 
     test "GET /api/v1/trends", %{conn: conn} do
-      user = insert(:user)
-
       res =
         conn
-        |> assign(:user, user)
         |> get("/api/v1/trends")
         |> json_response(200)
 

test/web/mastodon_api/views/status_view_test.exs

@@ -394,6 +394,21 @@ defmodule Pleroma.Web.MastodonAPI.StatusViewTest do
     assert length(represented[:media_attachments]) == 1
   end
 
+  test "a Mobilizon event" do
+    user = insert(:user)
+
+    {:ok, object} =
+      Pleroma.Object.Fetcher.fetch_object_from_id(
+        "https://mobilizon.org/events/252d5816-00a3-4a89-a66f-15bf65c33e39"
+      )
+
+    %Activity{} = activity = Activity.get_create_by_object_ap_id(object.data["id"])
+
+    represented = StatusView.render("show.json", %{for: user, activity: activity})
+
+    assert represented[:id] == to_string(activity.id)
+  end
+
   describe "build_tags/1" do
     test "it returns a a dictionary tags" do
       object_tags = [

test/web/metadata/twitter_card_test.exs

@@ -26,7 +26,32 @@ defmodule Pleroma.Web.Metadata.Providers.TwitterCardTest do
            ]
   end
 
-  test "it does not render attachments if post is nsfw" do
+  test "it uses summary twittercard if post has no attachment" do
+    user = insert(:user, name: "Jimmy Hendriks", bio: "born 19 March 1994")
+    {:ok, activity} = CommonAPI.post(user, %{"status" => "HI"})
+
+    note =
+      insert(:note, %{
+        data: %{
+          "actor" => user.ap_id,
+          "tag" => [],
+          "id" => "https://pleroma.gov/objects/whatever",
+          "content" => "pleroma in a nutshell"
+        }
+      })
+
+    result = TwitterCard.build_tags(%{object: note, user: user, activity_id: activity.id})
+
+    assert [
+             {:meta, [property: "twitter:title", content: Utils.user_name_string(user)], []},
+             {:meta, [property: "twitter:description", content: "“pleroma in a nutshell”"], []},
+             {:meta, [property: "twitter:image", content: "http://localhost:4001/images/avi.png"],
+              []},
+             {:meta, [property: "twitter:card", content: "summary"], []}
+           ] == result
+  end
+
+  test "it renders avatar not attachment if post is nsfw and unfurl_nsfw is disabled" do
     Pleroma.Config.put([Pleroma.Web.Metadata, :unfurl_nsfw], false)
     user = insert(:user, name: "Jimmy Hendriks", bio: "born 19 March 1994")
     {:ok, activity} = CommonAPI.post(user, %{"status" => "HI"})
@@ -67,7 +92,7 @@ defmodule Pleroma.Web.Metadata.Providers.TwitterCardTest do
              {:meta, [property: "twitter:description", content: "“pleroma in a nutshell”"], []},
              {:meta, [property: "twitter:image", content: "http://localhost:4001/images/avi.png"],
               []},
-             {:meta, [property: "twitter:card", content: "summary_large_image"], []}
+             {:meta, [property: "twitter:card", content: "summary"], []}
            ] == result
   end
 

test/web/metadata/utils_test.exs

@@ -0,0 +1,32 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Web.Metadata.UtilsTest do
+  use Pleroma.DataCase
+  import Pleroma.Factory
+  alias Pleroma.Web.Metadata.Utils
+
+  describe "scrub_html_and_truncate/1" do
+    test "it returns text without encode HTML" do
+      user = insert(:user)
+
+      note =
+        insert(:note, %{
+          data: %{
+            "actor" => user.ap_id,
+            "id" => "https://pleroma.gov/objects/whatever",
+            "content" => "Pleroma's really cool!"
+          }
+        })
+
+      assert Utils.scrub_html_and_truncate(note) == "Pleroma's really cool!"
+    end
+  end
+
+  describe "scrub_html_and_truncate/2" do
+    test "it returns text without encode HTML" do
+      assert Utils.scrub_html_and_truncate("Pleroma's really cool!") == "Pleroma's really cool!"
+    end
+  end
+end

test/web/oauth/oauth_controller_test.exs

@@ -450,7 +450,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
 
     test "renders authentication page if user is already authenticated but `force_login` is tru-ish",
          %{app: app, conn: conn} do
-      token = insert(:oauth_token, app_id: app.id)
+      token = insert(:oauth_token, app: app)
 
       conn =
         conn
@@ -474,7 +474,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
            app: app,
            conn: conn
          } do
-      token = insert(:oauth_token, app_id: app.id)
+      token = insert(:oauth_token, app: app)
 
       conn =
         conn
@@ -497,7 +497,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
            app: app,
            conn: conn
          } do
-      token = insert(:oauth_token, app_id: app.id)
+      token = insert(:oauth_token, app: app)
 
       conn =
         conn
@@ -523,7 +523,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
            conn: conn
          } do
       unlisted_redirect_uri = "http://cross-site-request.com"
-      token = insert(:oauth_token, app_id: app.id)
+      token = insert(:oauth_token, app: app)
 
       conn =
         conn
@@ -547,7 +547,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
            app: app,
            conn: conn
          } do
-      token = insert(:oauth_token, app_id: app.id)
+      token = insert(:oauth_token, app: app)
 
       conn =
         conn

test/web/pleroma_api/controllers/account_controller_test.exs

@@ -33,7 +33,6 @@ defmodule Pleroma.Web.PleromaAPI.AccountControllerTest do
 
     test "resend account confirmation email", %{conn: conn, user: user} do
       conn
-      |> assign(:user, user)
       |> post("/api/v1/pleroma/accounts/confirmation_resend?email=#{user.email}")
       |> json_response(:no_content)
 
@@ -52,14 +51,12 @@ defmodule Pleroma.Web.PleromaAPI.AccountControllerTest do
   end
 
   describe "PATCH /api/v1/pleroma/accounts/update_avatar" do
-    test "user avatar can be set", %{conn: conn} do
-      user = insert(:user)
+    setup do: oauth_access(["write:accounts"])
+
+    test "user avatar can be set", %{user: user, conn: conn} do
       avatar_image = File.read!("test/fixtures/avatar_data_uri")
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/pleroma/accounts/update_avatar", %{img: avatar_image})
+      conn = patch(conn, "/api/v1/pleroma/accounts/update_avatar", %{img: avatar_image})
 
       user = refresh_record(user)
 
@@ -78,13 +75,8 @@ defmodule Pleroma.Web.PleromaAPI.AccountControllerTest do
       assert %{"url" => _} = json_response(conn, 200)
     end
 
-    test "user avatar can be reset", %{conn: conn} do
-      user = insert(:user)
-
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/pleroma/accounts/update_avatar", %{img: ""})
+    test "user avatar can be reset", %{user: user, conn: conn} do
+      conn = patch(conn, "/api/v1/pleroma/accounts/update_avatar", %{img: ""})
 
       user = User.get_cached_by_id(user.id)
 
@@ -95,13 +87,10 @@ defmodule Pleroma.Web.PleromaAPI.AccountControllerTest do
   end
 
   describe "PATCH /api/v1/pleroma/accounts/update_banner" do
-    test "can set profile banner", %{conn: conn} do
-      user = insert(:user)
+    setup do: oauth_access(["write:accounts"])
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/pleroma/accounts/update_banner", %{"banner" => @image})
+    test "can set profile banner", %{user: user, conn: conn} do
+      conn = patch(conn, "/api/v1/pleroma/accounts/update_banner", %{"banner" => @image})
 
       user = refresh_record(user)
       assert user.banner["type"] == "Image"
@@ -109,13 +98,8 @@ defmodule Pleroma.Web.PleromaAPI.AccountControllerTest do
       assert %{"url" => _} = json_response(conn, 200)
     end
 
-    test "can reset profile banner", %{conn: conn} do
-      user = insert(:user)
-
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/pleroma/accounts/update_banner", %{"banner" => ""})
+    test "can reset profile banner", %{user: user, conn: conn} do
+      conn = patch(conn, "/api/v1/pleroma/accounts/update_banner", %{"banner" => ""})
 
       user = refresh_record(user)
       assert user.banner == %{}
@@ -125,26 +109,18 @@ defmodule Pleroma.Web.PleromaAPI.AccountControllerTest do
   end
 
   describe "PATCH /api/v1/pleroma/accounts/update_background" do
-    test "background image can be set", %{conn: conn} do
-      user = insert(:user)
+    setup do: oauth_access(["write:accounts"])
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/pleroma/accounts/update_background", %{"img" => @image})
+    test "background image can be set", %{user: user, conn: conn} do
+      conn = patch(conn, "/api/v1/pleroma/accounts/update_background", %{"img" => @image})
 
       user = refresh_record(user)
       assert user.background["type"] == "Image"
       assert %{"url" => _} = json_response(conn, 200)
     end
 
-    test "background image can be reset", %{conn: conn} do
-      user = insert(:user)
-
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/pleroma/accounts/update_background", %{"img" => ""})
+    test "background image can be reset", %{user: user, conn: conn} do
+      conn = patch(conn, "/api/v1/pleroma/accounts/update_background", %{"img" => ""})
 
       user = refresh_record(user)
       assert user.background == %{}
@@ -155,12 +131,12 @@ defmodule Pleroma.Web.PleromaAPI.AccountControllerTest do
   describe "getting favorites timeline of specified user" do
     setup do
       [current_user, user] = insert_pair(:user, hide_favorites: false)
-      [current_user: current_user, user: user]
+      %{user: current_user, conn: conn} = oauth_access(["read:favourites"], user: current_user)
+      [current_user: current_user, user: user, conn: conn]
     end
 
     test "returns list of statuses favorited by specified user", %{
       conn: conn,
-      current_user: current_user,
       user: user
     } do
       [activity | _] = insert_pair(:note_activity)
@@ -168,7 +144,6 @@ defmodule Pleroma.Web.PleromaAPI.AccountControllerTest do
 
       response =
         conn
-        |> assign(:user, current_user)
         |> get("/api/v1/pleroma/accounts/#{user.id}/favourites")
         |> json_response(:ok)
 
@@ -178,23 +153,18 @@ defmodule Pleroma.Web.PleromaAPI.AccountControllerTest do
       assert like["id"] == activity.id
     end
 
-    test "returns favorites for specified user_id when user is not logged in", %{
-      conn: conn,
+    test "does not return favorites for specified user_id when user is not logged in", %{
       user: user
     } do
       activity = insert(:note_activity)
       CommonAPI.favorite(activity.id, user)
 
-      response =
-        conn
-        |> get("/api/v1/pleroma/accounts/#{user.id}/favourites")
-        |> json_response(:ok)
-
-      assert length(response) == 1
+      build_conn()
+      |> get("/api/v1/pleroma/accounts/#{user.id}/favourites")
+      |> json_response(403)
     end
 
     test "returns favorited DM only when user is logged in and he is one of recipients", %{
-      conn: conn,
       current_user: current_user,
       user: user
     } do
@@ -206,25 +176,24 @@ defmodule Pleroma.Web.PleromaAPI.AccountControllerTest do
 
       CommonAPI.favorite(direct.id, user)
 
-      response =
-        conn
-        |> assign(:user, current_user)
-        |> get("/api/v1/pleroma/accounts/#{user.id}/favourites")
-        |> json_response(:ok)
+      for u <- [user, current_user] do
+        response =
+          build_conn()
+          |> assign(:user, u)
+          |> assign(:token, insert(:oauth_token, user: u, scopes: ["read:favourites"]))
+          |> get("/api/v1/pleroma/accounts/#{user.id}/favourites")
+          |> json_response(:ok)
 
-      assert length(response) == 1
+        assert length(response) == 1
+      end
 
-      anonymous_response =
-        conn
-        |> get("/api/v1/pleroma/accounts/#{user.id}/favourites")
-        |> json_response(:ok)
-
-      assert Enum.empty?(anonymous_response)
+      build_conn()
+      |> get("/api/v1/pleroma/accounts/#{user.id}/favourites")
+      |> json_response(403)
     end
 
     test "does not return others' favorited DM when user is not one of recipients", %{
       conn: conn,
-      current_user: current_user,
       user: user
     } do
       user_two = insert(:user)
@@ -239,7 +208,6 @@ defmodule Pleroma.Web.PleromaAPI.AccountControllerTest do
 
       response =
         conn
-        |> assign(:user, current_user)
         |> get("/api/v1/pleroma/accounts/#{user.id}/favourites")
         |> json_response(:ok)
 
@@ -248,7 +216,6 @@ defmodule Pleroma.Web.PleromaAPI.AccountControllerTest do
 
     test "paginates favorites using since_id and max_id", %{
       conn: conn,
-      current_user: current_user,
       user: user
     } do
       activities = insert_list(10, :note_activity)
@@ -262,7 +229,6 @@ defmodule Pleroma.Web.PleromaAPI.AccountControllerTest do
 
       response =
         conn
-        |> assign(:user, current_user)
         |> get("/api/v1/pleroma/accounts/#{user.id}/favourites", %{
           since_id: third_activity.id,
           max_id: seventh_activity.id
@@ -276,7 +242,6 @@ defmodule Pleroma.Web.PleromaAPI.AccountControllerTest do
 
     test "limits favorites using limit parameter", %{
       conn: conn,
-      current_user: current_user,
       user: user
     } do
       7
@@ -287,7 +252,6 @@ defmodule Pleroma.Web.PleromaAPI.AccountControllerTest do
 
       response =
         conn
-        |> assign(:user, current_user)
         |> get("/api/v1/pleroma/accounts/#{user.id}/favourites", %{limit: "3"})
         |> json_response(:ok)
 
@@ -296,12 +260,10 @@ defmodule Pleroma.Web.PleromaAPI.AccountControllerTest do
 
     test "returns empty response when user does not have any favorited statuses", %{
       conn: conn,
-      current_user: current_user,
       user: user
     } do
       response =
         conn
-        |> assign(:user, current_user)
         |> get("/api/v1/pleroma/accounts/#{user.id}/favourites")
         |> json_response(:ok)
 
@@ -314,79 +276,61 @@ defmodule Pleroma.Web.PleromaAPI.AccountControllerTest do
       assert json_response(conn, 404) == %{"error" => "Record not found"}
     end
 
-    test "returns 403 error when user has hidden own favorites", %{
-      conn: conn,
-      current_user: current_user
-    } do
+    test "returns 403 error when user has hidden own favorites", %{conn: conn} do
       user = insert(:user, hide_favorites: true)
       activity = insert(:note_activity)
       CommonAPI.favorite(activity.id, user)
 
-      conn =
-        conn
-        |> assign(:user, current_user)
-        |> get("/api/v1/pleroma/accounts/#{user.id}/favourites")
+      conn = get(conn, "/api/v1/pleroma/accounts/#{user.id}/favourites")
 
       assert json_response(conn, 403) == %{"error" => "Can't get favorites"}
     end
 
-    test "hides favorites for new users by default", %{conn: conn, current_user: current_user} do
+    test "hides favorites for new users by default", %{conn: conn} do
       user = insert(:user)
       activity = insert(:note_activity)
       CommonAPI.favorite(activity.id, user)
 
-      conn =
-        conn
-        |> assign(:user, current_user)
-        |> get("/api/v1/pleroma/accounts/#{user.id}/favourites")
-
       assert user.hide_favorites
+      conn = get(conn, "/api/v1/pleroma/accounts/#{user.id}/favourites")
+
       assert json_response(conn, 403) == %{"error" => "Can't get favorites"}
     end
   end
 
   describe "subscribing / unsubscribing" do
-    test "subscribing / unsubscribing to a user", %{conn: conn} do
-      user = insert(:user)
+    test "subscribing / unsubscribing to a user" do
+      %{user: user, conn: conn} = oauth_access(["follow"])
       subscription_target = insert(:user)
 
-      conn =
+      ret_conn =
         conn
         |> assign(:user, user)
         |> post("/api/v1/pleroma/accounts/#{subscription_target.id}/subscribe")
 
-      assert %{"id" => _id, "subscribing" => true} = json_response(conn, 200)
+      assert %{"id" => _id, "subscribing" => true} = json_response(ret_conn, 200)
 
-      conn =
-        build_conn()
-        |> assign(:user, user)
-        |> post("/api/v1/pleroma/accounts/#{subscription_target.id}/unsubscribe")
+      conn = post(conn, "/api/v1/pleroma/accounts/#{subscription_target.id}/unsubscribe")
 
       assert %{"id" => _id, "subscribing" => false} = json_response(conn, 200)
     end
   end
 
   describe "subscribing" do
-    test "returns 404 when subscription_target not found", %{conn: conn} do
-      user = insert(:user)
+    test "returns 404 when subscription_target not found" do
+      %{conn: conn} = oauth_access(["write:follows"])
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/pleroma/accounts/target_id/subscribe")
+      conn = post(conn, "/api/v1/pleroma/accounts/target_id/subscribe")
 
       assert %{"error" => "Record not found"} = json_response(conn, 404)
     end
   end
 
   describe "unsubscribing" do
-    test "returns 404 when subscription_target not found", %{conn: conn} do
-      user = insert(:user)
+    test "returns 404 when subscription_target not found" do
+      %{conn: conn} = oauth_access(["follow"])
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/pleroma/accounts/target_id/unsubscribe")
+      conn = post(conn, "/api/v1/pleroma/accounts/target_id/unsubscribe")
 
       assert %{"error" => "Record not found"} = json_response(conn, 404)
     end

test/web/pleroma_api/controllers/emoji_api_controller_test.exs

@@ -39,9 +39,12 @@ defmodule Pleroma.Web.PleromaAPI.EmojiAPIControllerTest do
 
   test "listing remote packs" do
     admin = insert(:user, is_admin: true)
-    conn = build_conn() |> assign(:user, admin)
+    %{conn: conn} = oauth_access(["admin:write"], user: admin)
 
-    resp = conn |> get(emoji_api_path(conn, :list_packs)) |> json_response(200)
+    resp =
+      build_conn()
+      |> get(emoji_api_path(conn, :list_packs))
+      |> json_response(200)
 
     mock(fn
       %{method: :get, url: "https://example.com/.well-known/nodeinfo"} ->
@@ -123,7 +126,10 @@ defmodule Pleroma.Web.PleromaAPI.EmojiAPIControllerTest do
 
     admin = insert(:user, is_admin: true)
 
-    conn = build_conn() |> assign(:user, admin)
+    conn =
+      build_conn()
+      |> assign(:user, admin)
+      |> assign(:token, insert(:oauth_admin_token, user: admin, scopes: ["admin:write"]))
 
     assert (conn
             |> put_req_header("content-type", "application/json")
@@ -168,8 +174,6 @@ defmodule Pleroma.Web.PleromaAPI.EmojiAPIControllerTest do
 
     # non-shared, downloaded from the fallback URL
 
-    conn = build_conn() |> assign(:user, admin)
-
     assert conn
            |> put_req_header("content-type", "application/json")
            |> post(
@@ -205,8 +209,12 @@ defmodule Pleroma.Web.PleromaAPI.EmojiAPIControllerTest do
         File.write!(pack_file, original_content)
       end)
 
+      admin = insert(:user, is_admin: true)
+      %{conn: conn} = oauth_access(["admin:write"], user: admin)
+
       {:ok,
-       admin: insert(:user, is_admin: true),
+       admin: admin,
+       conn: conn,
        pack_file: pack_file,
        new_data: %{
          "license" => "Test license changed",
@@ -217,10 +225,9 @@ defmodule Pleroma.Web.PleromaAPI.EmojiAPIControllerTest do
     end
 
     test "for a pack without a fallback source", ctx do
-      conn = build_conn()
+      conn = ctx[:conn]
 
       assert conn
-             |> assign(:user, ctx[:admin])
              |> post(
                emoji_api_path(conn, :update_metadata, "test_pack"),
                %{
@@ -250,10 +257,9 @@ defmodule Pleroma.Web.PleromaAPI.EmojiAPIControllerTest do
           "74409E2674DAA06C072729C6C8426C4CB3B7E0B85ED77792DB7A436E11D76DAF"
         )
 
-      conn = build_conn()
+      conn = ctx[:conn]
 
       assert conn
-             |> assign(:user, ctx[:admin])
              |> post(
                emoji_api_path(conn, :update_metadata, "test_pack"),
                %{
@@ -277,10 +283,9 @@ defmodule Pleroma.Web.PleromaAPI.EmojiAPIControllerTest do
 
       new_data = Map.put(ctx[:new_data], "fallback-src", "https://nonshared-pack")
 
-      conn = build_conn()
+      conn = ctx[:conn]
 
       assert (conn
-              |> assign(:user, ctx[:admin])
               |> post(
                 emoji_api_path(conn, :update_metadata, "test_pack"),
                 %{
@@ -304,8 +309,7 @@ defmodule Pleroma.Web.PleromaAPI.EmojiAPIControllerTest do
     end)
 
     admin = insert(:user, is_admin: true)
-
-    conn = build_conn()
+    %{conn: conn} = oauth_access(["admin:write"], user: admin)
 
     same_name = %{
       "action" => "add",
@@ -319,8 +323,6 @@ defmodule Pleroma.Web.PleromaAPI.EmojiAPIControllerTest do
 
     different_name = %{same_name | "shortcode" => "blank_2"}
 
-    conn = conn |> assign(:user, admin)
-
     assert (conn
             |> post(emoji_api_path(conn, :update_file, "test_pack"), same_name)
             |> json_response(:conflict))["error"] =~ "already exists"
@@ -392,8 +394,7 @@ defmodule Pleroma.Web.PleromaAPI.EmojiAPIControllerTest do
     end)
 
     admin = insert(:user, is_admin: true)
-
-    conn = build_conn() |> assign(:user, admin)
+    %{conn: conn} = oauth_access(["admin:write"], user: admin)
 
     assert conn
            |> put_req_header("content-type", "application/json")
@@ -432,9 +433,9 @@ defmodule Pleroma.Web.PleromaAPI.EmojiAPIControllerTest do
     refute Map.has_key?(resp, "test_pack_for_import")
 
     admin = insert(:user, is_admin: true)
+    %{conn: conn} = oauth_access(["admin:write"], user: admin)
 
     assert conn
-           |> assign(:user, admin)
            |> post(emoji_api_path(conn, :import_from_fs))
            |> json_response(200) == ["test_pack_for_import"]
 
@@ -449,11 +450,10 @@ defmodule Pleroma.Web.PleromaAPI.EmojiAPIControllerTest do
     File.write!("#{@emoji_dir_path}/test_pack_for_import/emoji.txt", emoji_txt_content)
 
     assert conn
-           |> assign(:user, admin)
            |> post(emoji_api_path(conn, :import_from_fs))
            |> json_response(200) == ["test_pack_for_import"]
 
-    resp = conn |> get(emoji_api_path(conn, :list_packs)) |> json_response(200)
+    resp = build_conn() |> get(emoji_api_path(conn, :list_packs)) |> json_response(200)
 
     assert resp["test_pack_for_import"]["files"] == %{
              "blank" => "blank.png",

test/web/pleroma_api/controllers/mascot_controller_test.exs

@@ -7,10 +7,8 @@ defmodule Pleroma.Web.PleromaAPI.MascotControllerTest do
 
   alias Pleroma.User
 
-  import Pleroma.Factory
-
-  test "mascot upload", %{conn: conn} do
-    user = insert(:user)
+  test "mascot upload" do
+    %{conn: conn} = oauth_access(["write:accounts"])
 
     non_image_file = %Plug.Upload{
       content_type: "audio/mpeg",
@@ -18,12 +16,9 @@ defmodule Pleroma.Web.PleromaAPI.MascotControllerTest do
       filename: "sound.mp3"
     }
 
-    conn =
-      conn
-      |> assign(:user, user)
-      |> put("/api/v1/pleroma/mascot", %{"file" => non_image_file})
+    ret_conn = put(conn, "/api/v1/pleroma/mascot", %{"file" => non_image_file})
 
-    assert json_response(conn, 415)
+    assert json_response(ret_conn, 415)
 
     file = %Plug.Upload{
       content_type: "image/jpg",
@@ -31,23 +26,18 @@ defmodule Pleroma.Web.PleromaAPI.MascotControllerTest do
       filename: "an_image.jpg"
     }
 
-    conn =
-      build_conn()
-      |> assign(:user, user)
-      |> put("/api/v1/pleroma/mascot", %{"file" => file})
+    conn = put(conn, "/api/v1/pleroma/mascot", %{"file" => file})
 
     assert %{"id" => _, "type" => image} = json_response(conn, 200)
   end
 
-  test "mascot retrieving", %{conn: conn} do
-    user = insert(:user)
-    # When user hasn't set a mascot, we should just get pleroma tan back
-    conn =
-      conn
-      |> assign(:user, user)
-      |> get("/api/v1/pleroma/mascot")
+  test "mascot retrieving" do
+    %{user: user, conn: conn} = oauth_access(["read:accounts", "write:accounts"])
 
-    assert %{"url" => url} = json_response(conn, 200)
+    # When user hasn't set a mascot, we should just get pleroma tan back
+    ret_conn = get(conn, "/api/v1/pleroma/mascot")
+
+    assert %{"url" => url} = json_response(ret_conn, 200)
     assert url =~ "pleroma-fox-tan-smol"
 
     # When a user sets their mascot, we should get that back
@@ -57,17 +47,14 @@ defmodule Pleroma.Web.PleromaAPI.MascotControllerTest do
       filename: "an_image.jpg"
     }
 
-    conn =
-      build_conn()
-      |> assign(:user, user)
-      |> put("/api/v1/pleroma/mascot", %{"file" => file})
+    ret_conn = put(conn, "/api/v1/pleroma/mascot", %{"file" => file})
 
-    assert json_response(conn, 200)
+    assert json_response(ret_conn, 200)
 
     user = User.get_cached_by_id(user.id)
 
     conn =
-      build_conn()
+      conn
       |> assign(:user, user)
       |> get("/api/v1/pleroma/mascot")
 

test/web/pleroma_api/controllers/pleroma_api_controller_test.exs

@@ -23,6 +23,7 @@ defmodule Pleroma.Web.PleromaAPI.PleromaAPIControllerTest do
     result =
       conn
       |> assign(:user, other_user)
+      |> assign(:token, insert(:oauth_token, user: other_user, scopes: ["write:statuses"]))
       |> post("/api/v1/pleroma/statuses/#{activity.id}/react_with_emoji", %{"emoji" => "☕"})
 
     assert %{"id" => id} = json_response(result, 200)
@@ -39,6 +40,7 @@ defmodule Pleroma.Web.PleromaAPI.PleromaAPIControllerTest do
     result =
       conn
       |> assign(:user, other_user)
+      |> assign(:token, insert(:oauth_token, user: other_user, scopes: ["write:statuses"]))
       |> post("/api/v1/pleroma/statuses/#{activity.id}/unreact_with_emoji", %{"emoji" => "☕"})
 
     assert %{"id" => id} = json_response(result, 200)
@@ -55,6 +57,11 @@ defmodule Pleroma.Web.PleromaAPI.PleromaAPIControllerTest do
 
     {:ok, activity} = CommonAPI.post(user, %{"status" => "#cofe"})
 
+    conn =
+      conn
+      |> assign(:user, user)
+      |> assign(:token, insert(:oauth_token, user: user, scopes: ["read:statuses"]))
+
     result =
       conn
       |> get("/api/v1/pleroma/statuses/#{activity.id}/emoji_reactions_by")
@@ -73,9 +80,9 @@ defmodule Pleroma.Web.PleromaAPI.PleromaAPIControllerTest do
     assert represented_user["id"] == other_user.id
   end
 
-  test "/api/v1/pleroma/conversations/:id", %{conn: conn} do
+  test "/api/v1/pleroma/conversations/:id" do
     user = insert(:user)
-    other_user = insert(:user)
+    %{user: other_user, conn: conn} = oauth_access(["read:statuses"])
 
     {:ok, _activity} =
       CommonAPI.post(user, %{"status" => "Hi @#{other_user.nickname}!", "visibility" => "direct"})
@@ -84,16 +91,15 @@ defmodule Pleroma.Web.PleromaAPI.PleromaAPIControllerTest do
 
     result =
       conn
-      |> assign(:user, other_user)
       |> get("/api/v1/pleroma/conversations/#{participation.id}")
       |> json_response(200)
 
     assert result["id"] == participation.id |> to_string()
   end
 
-  test "/api/v1/pleroma/conversations/:id/statuses", %{conn: conn} do
+  test "/api/v1/pleroma/conversations/:id/statuses" do
     user = insert(:user)
-    other_user = insert(:user)
+    %{user: other_user, conn: conn} = oauth_access(["read:statuses"])
     third_user = insert(:user)
 
     {:ok, _activity} =
@@ -113,7 +119,6 @@ defmodule Pleroma.Web.PleromaAPI.PleromaAPIControllerTest do
 
     result =
       conn
-      |> assign(:user, other_user)
       |> get("/api/v1/pleroma/conversations/#{participation.id}/statuses")
       |> json_response(200)
 
@@ -124,8 +129,8 @@ defmodule Pleroma.Web.PleromaAPI.PleromaAPIControllerTest do
     assert [%{"id" => ^id_one}, %{"id" => ^id_two}] = result
   end
 
-  test "PATCH /api/v1/pleroma/conversations/:id", %{conn: conn} do
-    user = insert(:user)
+  test "PATCH /api/v1/pleroma/conversations/:id" do
+    %{user: user, conn: conn} = oauth_access(["write:conversations"])
     other_user = insert(:user)
 
     {:ok, _activity} = CommonAPI.post(user, %{"status" => "Hi", "visibility" => "direct"})
@@ -140,7 +145,6 @@ defmodule Pleroma.Web.PleromaAPI.PleromaAPIControllerTest do
 
     result =
       conn
-      |> assign(:user, user)
       |> patch("/api/v1/pleroma/conversations/#{participation.id}", %{
         "recipients" => [user.id, other_user.id]
       })
@@ -155,9 +159,9 @@ defmodule Pleroma.Web.PleromaAPI.PleromaAPIControllerTest do
     assert other_user in participation.recipients
   end
 
-  test "POST /api/v1/pleroma/conversations/read", %{conn: conn} do
+  test "POST /api/v1/pleroma/conversations/read" do
     user = insert(:user)
-    other_user = insert(:user)
+    %{user: other_user, conn: conn} = oauth_access(["write:notifications"])
 
     {:ok, _activity} =
       CommonAPI.post(user, %{"status" => "Hi @#{other_user.nickname}", "visibility" => "direct"})
@@ -172,7 +176,6 @@ defmodule Pleroma.Web.PleromaAPI.PleromaAPIControllerTest do
 
     [%{"unread" => false}, %{"unread" => false}] =
       conn
-      |> assign(:user, other_user)
       |> post("/api/v1/pleroma/conversations/read", %{})
       |> json_response(200)
 
@@ -183,8 +186,9 @@ defmodule Pleroma.Web.PleromaAPI.PleromaAPIControllerTest do
   end
 
   describe "POST /api/v1/pleroma/notifications/read" do
-    test "it marks a single notification as read", %{conn: conn} do
-      user1 = insert(:user)
+    setup do: oauth_access(["write:notifications"])
+
+    test "it marks a single notification as read", %{user: user1, conn: conn} do
       user2 = insert(:user)
       {:ok, activity1} = CommonAPI.post(user2, %{"status" => "hi @#{user1.nickname}"})
       {:ok, activity2} = CommonAPI.post(user2, %{"status" => "hi @#{user1.nickname}"})
@@ -193,7 +197,6 @@ defmodule Pleroma.Web.PleromaAPI.PleromaAPIControllerTest do
 
       response =
         conn
-        |> assign(:user, user1)
         |> post("/api/v1/pleroma/notifications/read", %{"id" => "#{notification1.id}"})
         |> json_response(:ok)
 
@@ -202,8 +205,7 @@ defmodule Pleroma.Web.PleromaAPI.PleromaAPIControllerTest do
       refute Repo.get(Notification, notification2.id).seen
     end
 
-    test "it marks multiple notifications as read", %{conn: conn} do
-      user1 = insert(:user)
+    test "it marks multiple notifications as read", %{user: user1, conn: conn} do
       user2 = insert(:user)
       {:ok, _activity1} = CommonAPI.post(user2, %{"status" => "hi @#{user1.nickname}"})
       {:ok, _activity2} = CommonAPI.post(user2, %{"status" => "hi @#{user1.nickname}"})
@@ -213,7 +215,6 @@ defmodule Pleroma.Web.PleromaAPI.PleromaAPIControllerTest do
 
       [response1, response2] =
         conn
-        |> assign(:user, user1)
         |> post("/api/v1/pleroma/notifications/read", %{"max_id" => "#{notification2.id}"})
         |> json_response(:ok)
 
@@ -225,11 +226,8 @@ defmodule Pleroma.Web.PleromaAPI.PleromaAPIControllerTest do
     end
 
     test "it returns error when notification not found", %{conn: conn} do
-      user1 = insert(:user)
-
       response =
         conn
-        |> assign(:user, user1)
         |> post("/api/v1/pleroma/notifications/read", %{"id" => "22222222222222"})
         |> json_response(:bad_request)
 

test/web/pleroma_api/controllers/scrobble_controller_test.exs

@@ -6,16 +6,13 @@ defmodule Pleroma.Web.PleromaAPI.ScrobbleControllerTest do
   use Pleroma.Web.ConnCase
 
   alias Pleroma.Web.CommonAPI
-  import Pleroma.Factory
 
   describe "POST /api/v1/pleroma/scrobble" do
-    test "works correctly", %{conn: conn} do
-      user = insert(:user)
+    test "works correctly" do
+      %{conn: conn} = oauth_access(["write"])
 
       conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/pleroma/scrobble", %{
+        post(conn, "/api/v1/pleroma/scrobble", %{
           "title" => "lain radio episode 1",
           "artist" => "lain",
           "album" => "lain radio",
@@ -27,8 +24,8 @@ defmodule Pleroma.Web.PleromaAPI.ScrobbleControllerTest do
   end
 
   describe "GET /api/v1/pleroma/accounts/:id/scrobbles" do
-    test "works correctly", %{conn: conn} do
-      user = insert(:user)
+    test "works correctly" do
+      %{user: user, conn: conn} = oauth_access(["read"])
 
       {:ok, _activity} =
         CommonAPI.listen(user, %{
@@ -51,9 +48,7 @@ defmodule Pleroma.Web.PleromaAPI.ScrobbleControllerTest do
           "album" => "lain radio"
         })
 
-      conn =
-        conn
-        |> get("/api/v1/pleroma/accounts/#{user.id}/scrobbles")
+      conn = get(conn, "/api/v1/pleroma/accounts/#{user.id}/scrobbles")
 
       result = json_response(conn, 200)
 

test/web/twitter_api/remote_follow_controller_test.exs

@@ -0,0 +1,235 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Web.TwitterAPI.RemoteFollowControllerTest do
+  use Pleroma.Web.ConnCase
+
+  alias Pleroma.User
+  alias Pleroma.Web.CommonAPI
+  import ExUnit.CaptureLog
+  import Pleroma.Factory
+
+  setup do
+    Tesla.Mock.mock(fn env -> apply(HttpRequestMock, :request, [env]) end)
+    :ok
+  end
+
+  clear_config([:instance])
+  clear_config([:frontend_configurations, :pleroma_fe])
+  clear_config([:user, :deny_follow_blocked])
+
+  describe "GET /ostatus_subscribe - remote_follow/2" do
+    test "adds status to pleroma instance if the `acct` is a status", %{conn: conn} do
+      assert conn
+             |> get(
+               remote_follow_path(conn, :follow, %{
+                 acct: "https://mastodon.social/users/emelie/statuses/101849165031453009"
+               })
+             )
+             |> redirected_to() =~ "/notice/"
+    end
+
+    test "show follow account page if the `acct` is a account link", %{conn: conn} do
+      response =
+        conn
+        |> get(remote_follow_path(conn, :follow, %{acct: "https://mastodon.social/users/emelie"}))
+        |> html_response(200)
+
+      assert response =~ "Log in to follow"
+    end
+
+    test "show follow page if the `acct` is a account link", %{conn: conn} do
+      user = insert(:user)
+
+      response =
+        conn
+        |> assign(:user, user)
+        |> get(remote_follow_path(conn, :follow, %{acct: "https://mastodon.social/users/emelie"}))
+        |> html_response(200)
+
+      assert response =~ "Remote follow"
+    end
+
+    test "show follow page with error when user cannot fecth by `acct` link", %{conn: conn} do
+      user = insert(:user)
+
+      assert capture_log(fn ->
+               response =
+                 conn
+                 |> assign(:user, user)
+                 |> get(
+                   remote_follow_path(conn, :follow, %{
+                     acct: "https://mastodon.social/users/not_found"
+                   })
+                 )
+                 |> html_response(200)
+
+               assert response =~ "Error fetching user"
+             end) =~ "Object has been deleted"
+    end
+  end
+
+  describe "POST /ostatus_subscribe - do_follow/2 with assigned user " do
+    test "required `follow | write:follows` scope", %{conn: conn} do
+      user = insert(:user)
+      user2 = insert(:user)
+      read_token = insert(:oauth_token, user: user, scopes: ["read"])
+
+      assert capture_log(fn ->
+               response =
+                 conn
+                 |> assign(:user, user)
+                 |> assign(:token, read_token)
+                 |> post(remote_follow_path(conn, :do_follow), %{"user" => %{"id" => user2.id}})
+                 |> response(200)
+
+               assert response =~ "Error following account"
+             end) =~ "Insufficient permissions: follow | write:follows."
+    end
+
+    test "follows user", %{conn: conn} do
+      user = insert(:user)
+      user2 = insert(:user)
+
+      response =
+        conn
+        |> assign(:user, user)
+        |> assign(:token, insert(:oauth_token, user: user, scopes: ["write:follows"]))
+        |> post(remote_follow_path(conn, :do_follow), %{"user" => %{"id" => user2.id}})
+        |> response(200)
+
+      assert response =~ "Account followed!"
+      assert user2.follower_address in User.following(user)
+    end
+
+    test "returns error when user is deactivated", %{conn: conn} do
+      user = insert(:user, deactivated: true)
+      user2 = insert(:user)
+
+      response =
+        conn
+        |> assign(:user, user)
+        |> post(remote_follow_path(conn, :do_follow), %{"user" => %{"id" => user2.id}})
+        |> response(200)
+
+      assert response =~ "Error following account"
+    end
+
+    test "returns error when user is blocked", %{conn: conn} do
+      Pleroma.Config.put([:user, :deny_follow_blocked], true)
+      user = insert(:user)
+      user2 = insert(:user)
+
+      {:ok, _user_block} = Pleroma.User.block(user2, user)
+
+      response =
+        conn
+        |> assign(:user, user)
+        |> post(remote_follow_path(conn, :do_follow), %{"user" => %{"id" => user2.id}})
+        |> response(200)
+
+      assert response =~ "Error following account"
+    end
+
+    test "returns error when followee not found", %{conn: conn} do
+      user = insert(:user)
+
+      response =
+        conn
+        |> assign(:user, user)
+        |> post(remote_follow_path(conn, :do_follow), %{"user" => %{"id" => "jimm"}})
+        |> response(200)
+
+      assert response =~ "Error following account"
+    end
+
+    test "returns success result when user already in followers", %{conn: conn} do
+      user = insert(:user)
+      user2 = insert(:user)
+      {:ok, _, _, _} = CommonAPI.follow(user, user2)
+
+      response =
+        conn
+        |> assign(:user, refresh_record(user))
+        |> assign(:token, insert(:oauth_token, user: user, scopes: ["write:follows"]))
+        |> post(remote_follow_path(conn, :do_follow), %{"user" => %{"id" => user2.id}})
+        |> response(200)
+
+      assert response =~ "Account followed!"
+    end
+  end
+
+  describe "POST /ostatus_subscribe - follow/2 without assigned user " do
+    test "follows", %{conn: conn} do
+      user = insert(:user)
+      user2 = insert(:user)
+
+      response =
+        conn
+        |> post(remote_follow_path(conn, :do_follow), %{
+          "authorization" => %{"name" => user.nickname, "password" => "test", "id" => user2.id}
+        })
+        |> response(200)
+
+      assert response =~ "Account followed!"
+      assert user2.follower_address in User.following(user)
+    end
+
+    test "returns error when followee not found", %{conn: conn} do
+      user = insert(:user)
+
+      response =
+        conn
+        |> post(remote_follow_path(conn, :do_follow), %{
+          "authorization" => %{"name" => user.nickname, "password" => "test", "id" => "jimm"}
+        })
+        |> response(200)
+
+      assert response =~ "Error following account"
+    end
+
+    test "returns error when login invalid", %{conn: conn} do
+      user = insert(:user)
+
+      response =
+        conn
+        |> post(remote_follow_path(conn, :do_follow), %{
+          "authorization" => %{"name" => "jimm", "password" => "test", "id" => user.id}
+        })
+        |> response(200)
+
+      assert response =~ "Wrong username or password"
+    end
+
+    test "returns error when password invalid", %{conn: conn} do
+      user = insert(:user)
+      user2 = insert(:user)
+
+      response =
+        conn
+        |> post(remote_follow_path(conn, :do_follow), %{
+          "authorization" => %{"name" => user.nickname, "password" => "42", "id" => user2.id}
+        })
+        |> response(200)
+
+      assert response =~ "Wrong username or password"
+    end
+
+    test "returns error when user is blocked", %{conn: conn} do
+      Pleroma.Config.put([:user, :deny_follow_blocked], true)
+      user = insert(:user)
+      user2 = insert(:user)
+      {:ok, _user_block} = Pleroma.User.block(user2, user)
+
+      response =
+        conn
+        |> post(remote_follow_path(conn, :do_follow), %{
+          "authorization" => %{"name" => user.nickname, "password" => "test", "id" => user2.id}
+        })
+        |> response(200)
+
+      assert response =~ "Error following account"
+    end
+  end
+end

test/web/twitter_api/util_controller_test.exs

@@ -6,11 +6,9 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
   use Pleroma.Web.ConnCase
   use Oban.Testing, repo: Pleroma.Repo
 
-  alias Pleroma.Repo
   alias Pleroma.Tests.ObanHelpers
   alias Pleroma.User
-  alias Pleroma.Web.CommonAPI
-  import ExUnit.CaptureLog
+
   import Pleroma.Factory
   import Mock
 
@@ -24,21 +22,20 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
   clear_config([:user, :deny_follow_blocked])
 
   describe "POST /api/pleroma/follow_import" do
+    setup do: oauth_access(["follow"])
+
     test "it returns HTTP 200", %{conn: conn} do
-      user1 = insert(:user)
       user2 = insert(:user)
 
       response =
         conn
-        |> assign(:user, user1)
         |> post("/api/pleroma/follow_import", %{"list" => "#{user2.ap_id}"})
         |> json_response(:ok)
 
       assert response == "job started"
     end
 
-    test "it imports follow lists from file", %{conn: conn} do
-      user1 = insert(:user)
+    test "it imports follow lists from file", %{user: user1, conn: conn} do
       user2 = insert(:user)
 
       with_mocks([
@@ -49,7 +46,6 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
       ]) do
         response =
           conn
-          |> assign(:user, user1)
           |> post("/api/pleroma/follow_import", %{"list" => %Plug.Upload{path: "follow_list.txt"}})
           |> json_response(:ok)
 
@@ -67,12 +63,10 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
     end
 
     test "it imports new-style mastodon follow lists", %{conn: conn} do
-      user1 = insert(:user)
       user2 = insert(:user)
 
       response =
         conn
-        |> assign(:user, user1)
         |> post("/api/pleroma/follow_import", %{
           "list" => "Account address,Show boosts\n#{user2.ap_id},true"
         })
@@ -81,7 +75,7 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
       assert response == "job started"
     end
 
-    test "requires 'follow' or 'write:follows' permissions", %{conn: conn} do
+    test "requires 'follow' or 'write:follows' permissions" do
       token1 = insert(:oauth_token, scopes: ["read", "write"])
       token2 = insert(:oauth_token, scopes: ["follow"])
       token3 = insert(:oauth_token, scopes: ["something"])
@@ -89,7 +83,7 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
 
       for token <- [token1, token2, token3] do
         conn =
-          conn
+          build_conn()
           |> put_req_header("authorization", "Bearer #{token.token}")
           |> post("/api/pleroma/follow_import", %{"list" => "#{another_user.ap_id}"})
 
@@ -104,21 +98,21 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
   end
 
   describe "POST /api/pleroma/blocks_import" do
+    # Note: "follow" or "write:blocks" permission is required
+    setup do: oauth_access(["write:blocks"])
+
     test "it returns HTTP 200", %{conn: conn} do
-      user1 = insert(:user)
       user2 = insert(:user)
 
       response =
         conn
-        |> assign(:user, user1)
         |> post("/api/pleroma/blocks_import", %{"list" => "#{user2.ap_id}"})
         |> json_response(:ok)
 
       assert response == "job started"
     end
 
-    test "it imports blocks users from file", %{conn: conn} do
-      user1 = insert(:user)
+    test "it imports blocks users from file", %{user: user1, conn: conn} do
       user2 = insert(:user)
       user3 = insert(:user)
 
@@ -127,7 +121,6 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
       ]) do
         response =
           conn
-          |> assign(:user, user1)
           |> post("/api/pleroma/blocks_import", %{"list" => %Plug.Upload{path: "blocks_list.txt"}})
           |> json_response(:ok)
 
@@ -146,18 +139,17 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
   end
 
   describe "PUT /api/pleroma/notification_settings" do
-    test "it updates notification settings", %{conn: conn} do
-      user = insert(:user)
+    setup do: oauth_access(["write:accounts"])
 
+    test "it updates notification settings", %{user: user, conn: conn} do
       conn
-      |> assign(:user, user)
       |> put("/api/pleroma/notification_settings", %{
         "followers" => false,
         "bar" => 1
       })
       |> json_response(:ok)
 
-      user = Repo.get(User, user.id)
+      user = refresh_record(user)
 
       assert %Pleroma.User.NotificationSetting{
                followers: false,
@@ -168,11 +160,8 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
              } == user.notification_settings
     end
 
-    test "it update notificatin privacy option", %{conn: conn} do
-      user = insert(:user)
-
+    test "it updates notification privacy option", %{user: user, conn: conn} do
       conn
-      |> assign(:user, user)
       |> put("/api/pleroma/notification_settings", %{"privacy_option" => "1"})
       |> json_response(:ok)
 
@@ -328,196 +317,6 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
     end
   end
 
-  describe "GET /ostatus_subscribe - remote_follow/2" do
-    test "adds status to pleroma instance if the `acct` is a status", %{conn: conn} do
-      conn =
-        get(
-          conn,
-          "/ostatus_subscribe?acct=https://mastodon.social/users/emelie/statuses/101849165031453009"
-        )
-
-      assert redirected_to(conn) =~ "/notice/"
-    end
-
-    test "show follow account page if the `acct` is a account link", %{conn: conn} do
-      response =
-        get(
-          conn,
-          "/ostatus_subscribe?acct=https://mastodon.social/users/emelie"
-        )
-
-      assert html_response(response, 200) =~ "Log in to follow"
-    end
-
-    test "show follow page if the `acct` is a account link", %{conn: conn} do
-      user = insert(:user)
-
-      response =
-        conn
-        |> assign(:user, user)
-        |> get("/ostatus_subscribe?acct=https://mastodon.social/users/emelie")
-
-      assert html_response(response, 200) =~ "Remote follow"
-    end
-
-    test "show follow page with error when user cannot fecth by `acct` link", %{conn: conn} do
-      user = insert(:user)
-
-      assert capture_log(fn ->
-               response =
-                 conn
-                 |> assign(:user, user)
-                 |> get("/ostatus_subscribe?acct=https://mastodon.social/users/not_found")
-
-               assert html_response(response, 200) =~ "Error fetching user"
-             end) =~ "Object has been deleted"
-    end
-  end
-
-  describe "POST /ostatus_subscribe - do_remote_follow/2 with assigned user " do
-    test "follows user", %{conn: conn} do
-      user = insert(:user)
-      user2 = insert(:user)
-
-      response =
-        conn
-        |> assign(:user, user)
-        |> post("/ostatus_subscribe", %{"user" => %{"id" => user2.id}})
-        |> response(200)
-
-      assert response =~ "Account followed!"
-      assert user2.follower_address in User.following(user)
-    end
-
-    test "returns error when user is deactivated", %{conn: conn} do
-      user = insert(:user, deactivated: true)
-      user2 = insert(:user)
-
-      response =
-        conn
-        |> assign(:user, user)
-        |> post("/ostatus_subscribe", %{"user" => %{"id" => user2.id}})
-        |> response(200)
-
-      assert response =~ "Error following account"
-    end
-
-    test "returns error when user is blocked", %{conn: conn} do
-      Pleroma.Config.put([:user, :deny_follow_blocked], true)
-      user = insert(:user)
-      user2 = insert(:user)
-
-      {:ok, _user_block} = Pleroma.User.block(user2, user)
-
-      response =
-        conn
-        |> assign(:user, user)
-        |> post("/ostatus_subscribe", %{"user" => %{"id" => user2.id}})
-        |> response(200)
-
-      assert response =~ "Error following account"
-    end
-
-    test "returns error when followee not found", %{conn: conn} do
-      user = insert(:user)
-
-      response =
-        conn
-        |> assign(:user, user)
-        |> post("/ostatus_subscribe", %{"user" => %{"id" => "jimm"}})
-        |> response(200)
-
-      assert response =~ "Error following account"
-    end
-
-    test "returns success result when user already in followers", %{conn: conn} do
-      user = insert(:user)
-      user2 = insert(:user)
-      {:ok, _, _, _} = CommonAPI.follow(user, user2)
-
-      response =
-        conn
-        |> assign(:user, refresh_record(user))
-        |> post("/ostatus_subscribe", %{"user" => %{"id" => user2.id}})
-        |> response(200)
-
-      assert response =~ "Account followed!"
-    end
-  end
-
-  describe "POST /ostatus_subscribe - do_remote_follow/2 without assigned user " do
-    test "follows", %{conn: conn} do
-      user = insert(:user)
-      user2 = insert(:user)
-
-      response =
-        conn
-        |> post("/ostatus_subscribe", %{
-          "authorization" => %{"name" => user.nickname, "password" => "test", "id" => user2.id}
-        })
-        |> response(200)
-
-      assert response =~ "Account followed!"
-      assert user2.follower_address in User.following(user)
-    end
-
-    test "returns error when followee not found", %{conn: conn} do
-      user = insert(:user)
-
-      response =
-        conn
-        |> post("/ostatus_subscribe", %{
-          "authorization" => %{"name" => user.nickname, "password" => "test", "id" => "jimm"}
-        })
-        |> response(200)
-
-      assert response =~ "Error following account"
-    end
-
-    test "returns error when login invalid", %{conn: conn} do
-      user = insert(:user)
-
-      response =
-        conn
-        |> post("/ostatus_subscribe", %{
-          "authorization" => %{"name" => "jimm", "password" => "test", "id" => user.id}
-        })
-        |> response(200)
-
-      assert response =~ "Wrong username or password"
-    end
-
-    test "returns error when password invalid", %{conn: conn} do
-      user = insert(:user)
-      user2 = insert(:user)
-
-      response =
-        conn
-        |> post("/ostatus_subscribe", %{
-          "authorization" => %{"name" => user.nickname, "password" => "42", "id" => user2.id}
-        })
-        |> response(200)
-
-      assert response =~ "Wrong username or password"
-    end
-
-    test "returns error when user is blocked", %{conn: conn} do
-      Pleroma.Config.put([:user, :deny_follow_blocked], true)
-      user = insert(:user)
-      user2 = insert(:user)
-      {:ok, _user_block} = Pleroma.User.block(user2, user)
-
-      response =
-        conn
-        |> post("/ostatus_subscribe", %{
-          "authorization" => %{"name" => user.nickname, "password" => "test", "id" => user2.id}
-        })
-        |> response(200)
-
-      assert response =~ "Error following account"
-    end
-  end
-
   describe "GET /api/pleroma/healthcheck" do
     clear_config([:instance, :healthcheck])
 
@@ -552,7 +351,7 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
       end
     end
 
-    test "returns 503 when healthcheck enabled and  health is false", %{conn: conn} do
+    test "returns 503 when healthcheck enabled and health is false", %{conn: conn} do
       Pleroma.Config.put([:instance, :healthcheck], true)
 
       with_mock Pleroma.Healthcheck,
@@ -574,12 +373,11 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
   end
 
   describe "POST /api/pleroma/disable_account" do
-    test "it returns HTTP 200", %{conn: conn} do
-      user = insert(:user)
+    setup do: oauth_access(["write:accounts"])
 
+    test "with valid permissions and password, it disables the account", %{conn: conn, user: user} do
       response =
         conn
-        |> assign(:user, user)
         |> post("/api/pleroma/disable_account", %{"password" => "test"})
         |> json_response(:ok)
 
@@ -591,12 +389,11 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
       assert user.deactivated == true
     end
 
-    test "it returns returns when password invalid", %{conn: conn} do
+    test "with valid permissions and invalid password, it returns an error", %{conn: conn} do
       user = insert(:user)
 
       response =
         conn
-        |> assign(:user, user)
         |> post("/api/pleroma/disable_account", %{"password" => "test1"})
         |> json_response(:ok)
 
@@ -666,7 +463,7 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
                "https://social.heldscal.la/main/ostatussub?profile=#{user.ap_id}"
     end
 
-    test "it renders form with error when use not found", %{conn: conn} do
+    test "it renders form with error when user not found", %{conn: conn} do
       user2 = insert(:user, ap_id: "shp@social.heldscal.la")
 
       response =
@@ -691,29 +488,21 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
     end
   end
 
-  defp with_credentials(conn, username, password) do
-    header_content = "Basic " <> Base.encode64("#{username}:#{password}")
-    put_req_header(conn, "authorization", header_content)
-  end
-
-  defp valid_user(_context) do
-    user = insert(:user)
-    [user: user]
-  end
-
   describe "POST /api/pleroma/change_email" do
-    setup [:valid_user]
+    setup do: oauth_access(["write:accounts"])
 
-    test "without credentials", %{conn: conn} do
-      conn = post(conn, "/api/pleroma/change_email")
-      assert json_response(conn, 403) == %{"error" => "Invalid credentials."}
-    end
-
-    test "with credentials and invalid password", %{conn: conn, user: current_user} do
+    test "without permissions", %{conn: conn} do
       conn =
         conn
-        |> with_credentials(current_user.nickname, "test")
-        |> post("/api/pleroma/change_email", %{
+        |> assign(:token, nil)
+        |> post("/api/pleroma/change_email")
+
+      assert json_response(conn, 403) == %{"error" => "Insufficient permissions: write:accounts."}
+    end
+
+    test "with proper permissions and invalid password", %{conn: conn} do
+      conn =
+        post(conn, "/api/pleroma/change_email", %{
           "password" => "hi",
           "email" => "test@test.com"
         })
@@ -721,14 +510,11 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
       assert json_response(conn, 200) == %{"error" => "Invalid password."}
     end
 
-    test "with credentials, valid password and invalid email", %{
-      conn: conn,
-      user: current_user
+    test "with proper permissions, valid password and invalid email", %{
+      conn: conn
     } do
       conn =
-        conn
-        |> with_credentials(current_user.nickname, "test")
-        |> post("/api/pleroma/change_email", %{
+        post(conn, "/api/pleroma/change_email", %{
           "password" => "test",
           "email" => "foobar"
         })
@@ -736,28 +522,22 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
       assert json_response(conn, 200) == %{"error" => "Email has invalid format."}
     end
 
-    test "with credentials, valid password and no email", %{
-      conn: conn,
-      user: current_user
+    test "with proper permissions, valid password and no email", %{
+      conn: conn
     } do
       conn =
-        conn
-        |> with_credentials(current_user.nickname, "test")
-        |> post("/api/pleroma/change_email", %{
+        post(conn, "/api/pleroma/change_email", %{
           "password" => "test"
         })
 
       assert json_response(conn, 200) == %{"error" => "Email can't be blank."}
     end
 
-    test "with credentials, valid password and blank email", %{
-      conn: conn,
-      user: current_user
+    test "with proper permissions, valid password and blank email", %{
+      conn: conn
     } do
       conn =
-        conn
-        |> with_credentials(current_user.nickname, "test")
-        |> post("/api/pleroma/change_email", %{
+        post(conn, "/api/pleroma/change_email", %{
           "password" => "test",
           "email" => ""
         })
@@ -765,16 +545,13 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
       assert json_response(conn, 200) == %{"error" => "Email can't be blank."}
     end
 
-    test "with credentials, valid password and non unique email", %{
-      conn: conn,
-      user: current_user
+    test "with proper permissions, valid password and non unique email", %{
+      conn: conn
     } do
       user = insert(:user)
 
       conn =
-        conn
-        |> with_credentials(current_user.nickname, "test")
-        |> post("/api/pleroma/change_email", %{
+        post(conn, "/api/pleroma/change_email", %{
           "password" => "test",
           "email" => user.email
         })
@@ -782,14 +559,11 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
       assert json_response(conn, 200) == %{"error" => "Email has already been taken."}
     end
 
-    test "with credentials, valid password and valid email", %{
-      conn: conn,
-      user: current_user
+    test "with proper permissions, valid password and valid email", %{
+      conn: conn
     } do
       conn =
-        conn
-        |> with_credentials(current_user.nickname, "test")
-        |> post("/api/pleroma/change_email", %{
+        post(conn, "/api/pleroma/change_email", %{
           "password" => "test",
           "email" => "cofe@foobar.com"
         })
@@ -799,18 +573,20 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
   end
 
   describe "POST /api/pleroma/change_password" do
-    setup [:valid_user]
+    setup do: oauth_access(["write:accounts"])
 
-    test "without credentials", %{conn: conn} do
-      conn = post(conn, "/api/pleroma/change_password")
-      assert json_response(conn, 403) == %{"error" => "Invalid credentials."}
-    end
-
-    test "with credentials and invalid password", %{conn: conn, user: current_user} do
+    test "without permissions", %{conn: conn} do
       conn =
         conn
-        |> with_credentials(current_user.nickname, "test")
-        |> post("/api/pleroma/change_password", %{
+        |> assign(:token, nil)
+        |> post("/api/pleroma/change_password")
+
+      assert json_response(conn, 403) == %{"error" => "Insufficient permissions: write:accounts."}
+    end
+
+    test "with proper permissions and invalid password", %{conn: conn} do
+      conn =
+        post(conn, "/api/pleroma/change_password", %{
           "password" => "hi",
           "new_password" => "newpass",
           "new_password_confirmation" => "newpass"
@@ -819,14 +595,12 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
       assert json_response(conn, 200) == %{"error" => "Invalid password."}
     end
 
-    test "with credentials, valid password and new password and confirmation not matching", %{
-      conn: conn,
-      user: current_user
-    } do
+    test "with proper permissions, valid password and new password and confirmation not matching",
+         %{
+           conn: conn
+         } do
       conn =
-        conn
-        |> with_credentials(current_user.nickname, "test")
-        |> post("/api/pleroma/change_password", %{
+        post(conn, "/api/pleroma/change_password", %{
           "password" => "test",
           "new_password" => "newpass",
           "new_password_confirmation" => "notnewpass"
@@ -837,14 +611,11 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
              }
     end
 
-    test "with credentials, valid password and invalid new password", %{
-      conn: conn,
-      user: current_user
+    test "with proper permissions, valid password and invalid new password", %{
+      conn: conn
     } do
       conn =
-        conn
-        |> with_credentials(current_user.nickname, "test")
-        |> post("/api/pleroma/change_password", %{
+        post(conn, "/api/pleroma/change_password", %{
           "password" => "test",
           "new_password" => "",
           "new_password_confirmation" => ""
@@ -855,47 +626,46 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
              }
     end
 
-    test "with credentials, valid password and matching new password and confirmation", %{
+    test "with proper permissions, valid password and matching new password and confirmation", %{
       conn: conn,
-      user: current_user
+      user: user
     } do
       conn =
-        conn
-        |> with_credentials(current_user.nickname, "test")
-        |> post("/api/pleroma/change_password", %{
+        post(conn, "/api/pleroma/change_password", %{
           "password" => "test",
           "new_password" => "newpass",
           "new_password_confirmation" => "newpass"
         })
 
       assert json_response(conn, 200) == %{"status" => "success"}
-      fetched_user = User.get_cached_by_id(current_user.id)
+      fetched_user = User.get_cached_by_id(user.id)
       assert Comeonin.Pbkdf2.checkpw("newpass", fetched_user.password_hash) == true
     end
   end
 
   describe "POST /api/pleroma/delete_account" do
-    setup [:valid_user]
+    setup do: oauth_access(["write:accounts"])
 
-    test "without credentials", %{conn: conn} do
-      conn = post(conn, "/api/pleroma/delete_account")
-      assert json_response(conn, 403) == %{"error" => "Invalid credentials."}
-    end
-
-    test "with credentials and invalid password", %{conn: conn, user: current_user} do
+    test "without permissions", %{conn: conn} do
       conn =
         conn
-        |> with_credentials(current_user.nickname, "test")
-        |> post("/api/pleroma/delete_account", %{"password" => "hi"})
+        |> assign(:token, nil)
+        |> post("/api/pleroma/delete_account")
 
-      assert json_response(conn, 200) == %{"error" => "Invalid password."}
+      assert json_response(conn, 403) ==
+               %{"error" => "Insufficient permissions: write:accounts."}
     end
 
-    test "with credentials and valid password", %{conn: conn, user: current_user} do
-      conn =
-        conn
-        |> with_credentials(current_user.nickname, "test")
-        |> post("/api/pleroma/delete_account", %{"password" => "test"})
+    test "with proper permissions and wrong or missing password", %{conn: conn} do
+      for params <- [%{"password" => "hi"}, %{}] do
+        ret_conn = post(conn, "/api/pleroma/delete_account", params)
+
+        assert json_response(ret_conn, 200) == %{"error" => "Invalid password."}
+      end
+    end
+
+    test "with proper permissions and valid password", %{conn: conn} do
+      conn = post(conn, "/api/pleroma/delete_account", %{"password" => "test"})
 
       assert json_response(conn, 200) == %{"status" => "success"}
     end