[#1234] Merge remote-tracking branch 'remotes/upstream/develop' into 1234-mastodon-2-4-3-oauth-scopes

# Conflicts: # CHANGELOG.md # lib/pleroma/web/mastodon_api/controllers/mastodon_api_controller.ex # lib/pleroma/web/router.ex
2019-10-02 20:42:40 +03:00 · 2019-10-02 20:42:40 +03:00 · 64095961fe
commit 64095961fe
parent 6f67aed3ac a22a7437d8
222 changed files with 10323 additions and 6972 deletions
--- a/test/web/oauth/oauth_controller_test.exs
+++ b/test/web/oauth/oauth_controller_test.exs
@ -7,6 +7,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
  import Pleroma.Factory

  alias Pleroma.Repo
+  alias Pleroma.User
  alias Pleroma.Web.OAuth.Authorization
  alias Pleroma.Web.OAuth.OAuthController
  alias Pleroma.Web.OAuth.Token
@ -775,15 +776,11 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do

    test "rejects token exchange for valid credentials belonging to unconfirmed user and confirmation is required" do
      Pleroma.Config.put([:instance, :account_activation_required], true)
-
      password = "testpassword"
-      user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt(password))
-      info_change = Pleroma.User.Info.confirmation_changeset(user.info, need_confirmation: true)

      {:ok, user} =
-        user
-        |> Ecto.Changeset.change()
-        |> Ecto.Changeset.put_embed(:info, info_change)
+        insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt(password))
+        |> User.change_info(&User.Info.confirmation_changeset(&1, need_confirmation: true))
        |> Repo.update()

      refute Pleroma.User.auth_active?(user)
@ -831,6 +828,33 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
      refute Map.has_key?(resp, "access_token")
    end

+    test "rejects token exchange for user with password_reset_pending set to true" do
+      password = "testpassword"
+
+      user =
+        insert(:user,
+          password_hash: Comeonin.Pbkdf2.hashpwsalt(password),
+          info: %{password_reset_pending: true}
+        )
+
+      app = insert(:oauth_app, scopes: ["read", "write"])
+
+      conn =
+        build_conn()
+        |> post("/oauth/token", %{
+          "grant_type" => "password",
+          "username" => user.nickname,
+          "password" => password,
+          "client_id" => app.client_id,
+          "client_secret" => app.client_secret
+        })
+
+      assert resp = json_response(conn, 403)
+
+      assert resp["error"] == "Password reset is required"
+      refute Map.has_key?(resp, "access_token")
+    end
+
    test "rejects an invalid authorization code" do
      app = insert(:oauth_app)