[#1940] Reinstated OAuth-less admin_token authentication. Refactored UserIsAdminPlug (freed from checking admin scopes presence).

2020-07-19 21:35:57 +03:00 · 2020-07-19 21:35:57 +03:00 · cf3f8cb72a
commit cf3f8cb72a
parent 5d215fd81f
10 changed files with 169 additions and 242 deletions
--- a/test/plugs/user_is_admin_plug_test.exs
+++ b/test/plugs/user_is_admin_plug_test.exs
@ -8,112 +8,30 @@ defmodule Pleroma.Plugs.UserIsAdminPlugTest do
  alias Pleroma.Plugs.UserIsAdminPlug
  import Pleroma.Factory

-  describe "unless [:auth, :enforce_oauth_admin_scope_usage]," do
-    setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], false)
+  test "accepts a user that is an admin" do
+    user = insert(:user, is_admin: true)

-    test "accepts a user that is an admin" do
-      user = insert(:user, is_admin: true)
+    conn = assign(build_conn(), :user, user)

-      conn = assign(build_conn(), :user, user)
+    ret_conn = UserIsAdminPlug.call(conn, %{})

-      ret_conn = UserIsAdminPlug.call(conn, %{})
-
-      assert conn == ret_conn
-    end
-
-    test "denies a user that isn't an admin" do
-      user = insert(:user)
-
-      conn =
-        build_conn()
-        |> assign(:user, user)
-        |> UserIsAdminPlug.call(%{})
-
-      assert conn.status == 403
-    end
-
-    test "denies when a user isn't set" do
-      conn = UserIsAdminPlug.call(build_conn(), %{})
-
-      assert conn.status == 403
-    end
+    assert conn == ret_conn
  end

-  describe "with [:auth, :enforce_oauth_admin_scope_usage]," do
-    setup do: clear_config([:auth, :enforce_oauth_admin_scope_usage], true)
+  test "denies a user that isn't an admin" do
+    user = insert(:user)

-    setup do
-      admin_user = insert(:user, is_admin: true)
-      non_admin_user = insert(:user, is_admin: false)
-      blank_user = nil
+    conn =
+      build_conn()
+      |> assign(:user, user)
+      |> UserIsAdminPlug.call(%{})

-      {:ok, %{users: [admin_user, non_admin_user, blank_user]}}
-    end
+    assert conn.status == 403
+  end

-    test "if token has any of admin scopes, accepts a user that is an admin", %{conn: conn} do
-      user = insert(:user, is_admin: true)
-      token = insert(:oauth_token, user: user, scopes: ["admin:something"])
+  test "denies when a user isn't set" do
+    conn = UserIsAdminPlug.call(build_conn(), %{})

-      conn =
-        conn
-        |> assign(:user, user)
-        |> assign(:token, token)
-
-      ret_conn = UserIsAdminPlug.call(conn, %{})
-
-      assert conn == ret_conn
-    end
-
-    test "if token has any of admin scopes, denies a user that isn't an admin", %{conn: conn} do
-      user = insert(:user, is_admin: false)
-      token = insert(:oauth_token, user: user, scopes: ["admin:something"])
-
-      conn =
-        conn
-        |> assign(:user, user)
-        |> assign(:token, token)
-        |> UserIsAdminPlug.call(%{})
-
-      assert conn.status == 403
-    end
-
-    test "if token has any of admin scopes, denies when a user isn't set", %{conn: conn} do
-      token = insert(:oauth_token, scopes: ["admin:something"])
-
-      conn =
-        conn
-        |> assign(:user, nil)
-        |> assign(:token, token)
-        |> UserIsAdminPlug.call(%{})
-
-      assert conn.status == 403
-    end
-
-    test "if token lacks admin scopes, denies users regardless of is_admin flag",
-         %{users: users} do
-      for user <- users do
-        token = insert(:oauth_token, user: user)
-
-        conn =
-          build_conn()
-          |> assign(:user, user)
-          |> assign(:token, token)
-          |> UserIsAdminPlug.call(%{})
-
-        assert conn.status == 403
-      end
-    end
-
-    test "if token is missing, denies users regardless of is_admin flag", %{users: users} do
-      for user <- users do
-        conn =
-          build_conn()
-          |> assign(:user, user)
-          |> assign(:token, nil)
-          |> UserIsAdminPlug.call(%{})
-
-        assert conn.status == 403
-      end
-    end
+    assert conn.status == 403
  end
 end