Merge branch 'fix-admin-api-scope' into 'develop'

fix oauth scopes for AdminApi#reports_update See merge request pleroma/pleroma!2087
2020-01-20 12:07:12 +00:00 · 2020-01-20 12:07:12 +00:00 · c814f22030
parent e8759cb5ba 385356aad0
commit c814f22030
2 changed files with 25 additions and 1 deletions
--- a/lib/pleroma/web/admin_api/admin_api_controller.ex
+++ b/lib/pleroma/web/admin_api/admin_api_controller.ex
@ -75,7 +75,7 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIController do
  plug(
    OAuthScopesPlug,
    %{scopes: ["write:reports"], admin: true}
-    when action in [:report_update_state, :report_respond]
+    when action in [:reports_update]
  )

  plug(
--- a/test/web/admin_api/admin_api_controller_test.exs
+++ b/test/web/admin_api/admin_api_controller_test.exs
@ -1363,6 +1363,30 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
      }
    end

+    test "requires write:reports scope", %{conn: conn, id: id, admin: admin} do
+      read_token = insert(:oauth_token, user: admin, scopes: ["read"])
+      write_token = insert(:oauth_token, user: admin, scopes: ["write:reports"])
+
+      response =
+        conn
+        |> assign(:token, read_token)
+        |> patch("/api/pleroma/admin/reports", %{
+          "reports" => [%{"state" => "resolved", "id" => id}]
+        })
+        |> json_response(403)
+
+      assert response == %{
+               "error" => "Insufficient permissions: admin:write:reports | write:reports."
+             }
+
+      conn
+      |> assign(:token, write_token)
+      |> patch("/api/pleroma/admin/reports", %{
+        "reports" => [%{"state" => "resolved", "id" => id}]
+      })
+      |> json_response(:no_content)
+    end
+
    test "mark report as resolved", %{conn: conn, id: id, admin: admin} do
      conn
      |> patch("/api/pleroma/admin/reports", %{