Remove :auth, :enforce_oauth_admin_scope_usage
`admin` scope has been required by default for more than a year now and all apps that use the API seems to request a proper scope by now.
This commit is contained in:
rinpatch
parent
679a2e799e
commit
6d66fadea7
9 changed files with 70 additions and 239 deletions
|
|
@ -46,104 +46,47 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
|
|||
assert json_response(conn, 200)
|
||||
end
|
||||
|
||||
describe "with [:auth, :enforce_oauth_admin_scope_usage]," do
|
||||
setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], true)
|
||||
test "GET /api/pleroma/admin/users/:nickname requires admin:read:accounts or broader scope",
|
||||
%{admin: admin} do
|
||||
user = insert(:user)
|
||||
url = "/api/pleroma/admin/users/#{user.nickname}"
|
||||
|
||||
test "GET /api/pleroma/admin/users/:nickname requires admin:read:accounts or broader scope",
|
||||
%{admin: admin} do
|
||||
user = insert(:user)
|
||||
url = "/api/pleroma/admin/users/#{user.nickname}"
|
||||
good_token1 = insert(:oauth_token, user: admin, scopes: ["admin"])
|
||||
good_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read"])
|
||||
good_token3 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts"])
|
||||
|
||||
good_token1 = insert(:oauth_token, user: admin, scopes: ["admin"])
|
||||
good_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read"])
|
||||
good_token3 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts"])
|
||||
bad_token1 = insert(:oauth_token, user: admin, scopes: ["read:accounts"])
|
||||
bad_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts:partial"])
|
||||
bad_token3 = nil
|
||||
|
||||
bad_token1 = insert(:oauth_token, user: admin, scopes: ["read:accounts"])
|
||||
bad_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts:partial"])
|
||||
bad_token3 = nil
|
||||
for good_token <- [good_token1, good_token2, good_token3] do
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, admin)
|
||||
|> assign(:token, good_token)
|
||||
|> get(url)
|
||||
|
||||
for good_token <- [good_token1, good_token2, good_token3] do
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, admin)
|
||||
|> assign(:token, good_token)
|
||||
|> get(url)
|
||||
|
||||
assert json_response(conn, 200)
|
||||
end
|
||||
|
||||
for good_token <- [good_token1, good_token2, good_token3] do
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, nil)
|
||||
|> assign(:token, good_token)
|
||||
|> get(url)
|
||||
|
||||
assert json_response(conn, :forbidden)
|
||||
end
|
||||
|
||||
for bad_token <- [bad_token1, bad_token2, bad_token3] do
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, admin)
|
||||
|> assign(:token, bad_token)
|
||||
|> get(url)
|
||||
|
||||
assert json_response(conn, :forbidden)
|
||||
end
|
||||
assert json_response(conn, 200)
|
||||
end
|
||||
end
|
||||
|
||||
describe "unless [:auth, :enforce_oauth_admin_scope_usage]," do
|
||||
setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], false)
|
||||
for good_token <- [good_token1, good_token2, good_token3] do
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, nil)
|
||||
|> assign(:token, good_token)
|
||||
|> get(url)
|
||||
|
||||
test "GET /api/pleroma/admin/users/:nickname requires " <>
|
||||
"read:accounts or admin:read:accounts or broader scope",
|
||||
%{admin: admin} do
|
||||
user = insert(:user)
|
||||
url = "/api/pleroma/admin/users/#{user.nickname}"
|
||||
assert json_response(conn, :forbidden)
|
||||
end
|
||||
|
||||
good_token1 = insert(:oauth_token, user: admin, scopes: ["admin"])
|
||||
good_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read"])
|
||||
good_token3 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts"])
|
||||
good_token4 = insert(:oauth_token, user: admin, scopes: ["read:accounts"])
|
||||
good_token5 = insert(:oauth_token, user: admin, scopes: ["read"])
|
||||
for bad_token <- [bad_token1, bad_token2, bad_token3] do
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, admin)
|
||||
|> assign(:token, bad_token)
|
||||
|> get(url)
|
||||
|
||||
good_tokens = [good_token1, good_token2, good_token3, good_token4, good_token5]
|
||||
|
||||
bad_token1 = insert(:oauth_token, user: admin, scopes: ["read:accounts:partial"])
|
||||
bad_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts:partial"])
|
||||
bad_token3 = nil
|
||||
|
||||
for good_token <- good_tokens do
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, admin)
|
||||
|> assign(:token, good_token)
|
||||
|> get(url)
|
||||
|
||||
assert json_response(conn, 200)
|
||||
end
|
||||
|
||||
for good_token <- good_tokens do
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, nil)
|
||||
|> assign(:token, good_token)
|
||||
|> get(url)
|
||||
|
||||
assert json_response(conn, :forbidden)
|
||||
end
|
||||
|
||||
for bad_token <- [bad_token1, bad_token2, bad_token3] do
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, admin)
|
||||
|> assign(:token, bad_token)
|
||||
|> get(url)
|
||||
|
||||
assert json_response(conn, :forbidden)
|
||||
end
|
||||
assert json_response(conn, :forbidden)
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
|||
|
|
@ -47,104 +47,47 @@ defmodule Pleroma.Web.AdminAPI.UserControllerTest do
|
|||
assert json_response(conn, 200)
|
||||
end
|
||||
|
||||
describe "with [:auth, :enforce_oauth_admin_scope_usage]," do
|
||||
setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], true)
|
||||
test "GET /api/pleroma/admin/users/:nickname requires admin:read:accounts or broader scope",
|
||||
%{admin: admin} do
|
||||
user = insert(:user)
|
||||
url = "/api/pleroma/admin/users/#{user.nickname}"
|
||||
|
||||
test "GET /api/pleroma/admin/users/:nickname requires admin:read:accounts or broader scope",
|
||||
%{admin: admin} do
|
||||
user = insert(:user)
|
||||
url = "/api/pleroma/admin/users/#{user.nickname}"
|
||||
good_token1 = insert(:oauth_token, user: admin, scopes: ["admin"])
|
||||
good_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read"])
|
||||
good_token3 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts"])
|
||||
|
||||
good_token1 = insert(:oauth_token, user: admin, scopes: ["admin"])
|
||||
good_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read"])
|
||||
good_token3 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts"])
|
||||
bad_token1 = insert(:oauth_token, user: admin, scopes: ["read:accounts"])
|
||||
bad_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts:partial"])
|
||||
bad_token3 = nil
|
||||
|
||||
bad_token1 = insert(:oauth_token, user: admin, scopes: ["read:accounts"])
|
||||
bad_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts:partial"])
|
||||
bad_token3 = nil
|
||||
for good_token <- [good_token1, good_token2, good_token3] do
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, admin)
|
||||
|> assign(:token, good_token)
|
||||
|> get(url)
|
||||
|
||||
for good_token <- [good_token1, good_token2, good_token3] do
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, admin)
|
||||
|> assign(:token, good_token)
|
||||
|> get(url)
|
||||
|
||||
assert json_response(conn, 200)
|
||||
end
|
||||
|
||||
for good_token <- [good_token1, good_token2, good_token3] do
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, nil)
|
||||
|> assign(:token, good_token)
|
||||
|> get(url)
|
||||
|
||||
assert json_response(conn, :forbidden)
|
||||
end
|
||||
|
||||
for bad_token <- [bad_token1, bad_token2, bad_token3] do
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, admin)
|
||||
|> assign(:token, bad_token)
|
||||
|> get(url)
|
||||
|
||||
assert json_response(conn, :forbidden)
|
||||
end
|
||||
assert json_response(conn, 200)
|
||||
end
|
||||
end
|
||||
|
||||
describe "unless [:auth, :enforce_oauth_admin_scope_usage]," do
|
||||
setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], false)
|
||||
for good_token <- [good_token1, good_token2, good_token3] do
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, nil)
|
||||
|> assign(:token, good_token)
|
||||
|> get(url)
|
||||
|
||||
test "GET /api/pleroma/admin/users/:nickname requires " <>
|
||||
"read:accounts or admin:read:accounts or broader scope",
|
||||
%{admin: admin} do
|
||||
user = insert(:user)
|
||||
url = "/api/pleroma/admin/users/#{user.nickname}"
|
||||
assert json_response(conn, :forbidden)
|
||||
end
|
||||
|
||||
good_token1 = insert(:oauth_token, user: admin, scopes: ["admin"])
|
||||
good_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read"])
|
||||
good_token3 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts"])
|
||||
good_token4 = insert(:oauth_token, user: admin, scopes: ["read:accounts"])
|
||||
good_token5 = insert(:oauth_token, user: admin, scopes: ["read"])
|
||||
for bad_token <- [bad_token1, bad_token2, bad_token3] do
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, admin)
|
||||
|> assign(:token, bad_token)
|
||||
|> get(url)
|
||||
|
||||
good_tokens = [good_token1, good_token2, good_token3, good_token4, good_token5]
|
||||
|
||||
bad_token1 = insert(:oauth_token, user: admin, scopes: ["read:accounts:partial"])
|
||||
bad_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts:partial"])
|
||||
bad_token3 = nil
|
||||
|
||||
for good_token <- good_tokens do
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, admin)
|
||||
|> assign(:token, good_token)
|
||||
|> get(url)
|
||||
|
||||
assert json_response(conn, 200)
|
||||
end
|
||||
|
||||
for good_token <- good_tokens do
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, nil)
|
||||
|> assign(:token, good_token)
|
||||
|> get(url)
|
||||
|
||||
assert json_response(conn, :forbidden)
|
||||
end
|
||||
|
||||
for bad_token <- [bad_token1, bad_token2, bad_token3] do
|
||||
conn =
|
||||
build_conn()
|
||||
|> assign(:user, admin)
|
||||
|> assign(:token, bad_token)
|
||||
|> get(url)
|
||||
|
||||
assert json_response(conn, :forbidden)
|
||||
end
|
||||
assert json_response(conn, :forbidden)
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
|||
|
|
@ -13,8 +13,6 @@ defmodule Pleroma.Web.PleromaAPI.EmojiFileControllerTest do
|
|||
Pleroma.Config.get!([:instance, :static_dir]),
|
||||
"emoji"
|
||||
)
|
||||
setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], false)
|
||||
|
||||
setup do: clear_config([:instance, :public], true)
|
||||
|
||||
setup do
|
||||
|
|
|
|||
|
|
@ -13,7 +13,6 @@ defmodule Pleroma.Web.PleromaAPI.EmojiPackControllerTest do
|
|||
Pleroma.Config.get!([:instance, :static_dir]),
|
||||
"emoji"
|
||||
)
|
||||
setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], false)
|
||||
|
||||
setup do: clear_config([:instance, :public], true)
|
||||
|
||||
|
|
|
|||
|
|
@ -169,42 +169,4 @@ defmodule Pleroma.Web.Plugs.OAuthScopesPlugTest do
|
|||
assert f.(["admin:read"], ["write", "admin"]) == ["admin:read"]
|
||||
end
|
||||
end
|
||||
|
||||
describe "transform_scopes/2" do
|
||||
setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage])
|
||||
|
||||
setup do
|
||||
{:ok, %{f: &OAuthScopesPlug.transform_scopes/2}}
|
||||
end
|
||||
|
||||
test "with :admin option, prefixes all requested scopes with `admin:` " <>
|
||||
"and [optionally] keeps only prefixed scopes, " <>
|
||||
"depending on `[:auth, :enforce_oauth_admin_scope_usage]` setting",
|
||||
%{f: f} do
|
||||
clear_config([:auth, :enforce_oauth_admin_scope_usage], false)
|
||||
|
||||
assert f.(["read"], %{admin: true}) == ["admin:read", "read"]
|
||||
|
||||
assert f.(["read", "write"], %{admin: true}) == [
|
||||
"admin:read",
|
||||
"read",
|
||||
"admin:write",
|
||||
"write"
|
||||
]
|
||||
|
||||
clear_config([:auth, :enforce_oauth_admin_scope_usage], true)
|
||||
|
||||
assert f.(["read:accounts"], %{admin: true}) == ["admin:read:accounts"]
|
||||
|
||||
assert f.(["read", "write:reports"], %{admin: true}) == [
|
||||
"admin:read",
|
||||
"admin:write:reports"
|
||||
]
|
||||
end
|
||||
|
||||
test "with no supported options, returns unmodified scopes", %{f: f} do
|
||||
assert f.(["read"], %{}) == ["read"]
|
||||
assert f.(["read", "write"], %{}) == ["read", "write"]
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue