From 7973cbdb9fa9120306cb5a265a477eeccd315ee6 Mon Sep 17 00:00:00 2001
From: Ivan Tashkinov <ivantashkinov@gmail.com>
Date: Sun, 15 Dec 2019 22:32:42 +0300
Subject: [PATCH] OAuthScopesPlug: disallowed nil token (unless with :fallback
 option). WIP: controller tests modification: OAuth scopes usage.

---
 lib/pleroma/plugs/oauth_scopes_plug.ex        |   9 +-
 lib/pleroma/user.ex                           |   6 +-
 .../controllers/emoji_api_controller.ex       |   2 +-
 .../controllers/pleroma_api_controller.ex     |   9 +-
 .../controllers/util_controller.ex            |  57 +-
 test/notification_test.exs                    |   2 +-
 test/plugs/oauth_scopes_plug_test.exs         | 157 ++---
 test/support/conn_case.ex                     |  20 +
 test/support/factory.ex                       |  32 +-
 .../admin_api/admin_api_controller_test.exs   | 566 +++++++-----------
 .../controllers/status_controller_test.exs    | 392 +++++-------
 test/web/oauth/oauth_controller_test.exs      |  10 +-
 .../pleroma_api_controller_test.exs           |  40 +-
 test/web/twitter_api/util_controller_test.exs | 248 ++++----
 14 files changed, 638 insertions(+), 912 deletions(-)

diff --git a/lib/pleroma/plugs/oauth_scopes_plug.ex b/lib/pleroma/plugs/oauth_scopes_plug.ex
index 174a8389c..07c0f7fdb 100644
--- a/lib/pleroma/plugs/oauth_scopes_plug.ex
+++ b/lib/pleroma/plugs/oauth_scopes_plug.ex
@@ -18,16 +18,13 @@ def call(%Plug.Conn{assigns: assigns} = conn, %{scopes: scopes} = options) do
     token = assigns[:token]
 
     scopes = transform_scopes(scopes, options)
-    matched_scopes = token && filter_descendants(scopes, token.scopes)
+    matched_scopes = (token && filter_descendants(scopes, token.scopes)) || []
 
     cond do
-      is_nil(token) ->
-        maybe_perform_instance_privacy_check(conn, options)
-
-      op == :| && Enum.any?(matched_scopes) ->
+      token && op == :| && Enum.any?(matched_scopes) ->
         conn
 
-      op == :& && matched_scopes == scopes ->
+      token && op == :& && matched_scopes == scopes ->
         conn
 
       options[:fallback] == :proceed_unauthenticated ->
diff --git a/lib/pleroma/user.ex b/lib/pleroma/user.ex
index 706aee2ff..021a542b3 100644
--- a/lib/pleroma/user.ex
+++ b/lib/pleroma/user.ex
@@ -1855,9 +1855,9 @@ def admin_api_update(user, params) do
       ])
 
     with {:ok, updated_user} <- update_and_set_cache(changeset) do
-      if user.is_admin && !updated_user.is_admin do
-        # Tokens & authorizations containing any admin scopes must be revoked (revoking all).
-        # This is an extra safety measure (tokens' admin scopes won't be accepted for non-admins).
+      if user.is_admin != updated_user.is_admin do
+        # Admin status change results in change of accessible OAuth scopes, and instead of changing
+        #   already issued tokens we revoke them, requiring user to sign in again
         global_sign_out(user)
       end
 
diff --git a/lib/pleroma/web/pleroma_api/controllers/emoji_api_controller.ex b/lib/pleroma/web/pleroma_api/controllers/emoji_api_controller.ex
index 69dfa92e3..0bbf84fd3 100644
--- a/lib/pleroma/web/pleroma_api/controllers/emoji_api_controller.ex
+++ b/lib/pleroma/web/pleroma_api/controllers/emoji_api_controller.ex
@@ -52,7 +52,7 @@ def list_from(conn, %{"instance_address" => address}) do
   @doc """
   Lists the packs available on the instance as JSON.
 
-  The information is public and does not require authentification. The format is
+  The information is public and does not require authentication. The format is
   a map of "pack directory name" to pack.json contents.
   """
   def list_packs(conn, _params) do
diff --git a/lib/pleroma/web/pleroma_api/controllers/pleroma_api_controller.ex b/lib/pleroma/web/pleroma_api/controllers/pleroma_api_controller.ex
index 8fed3f5bb..772c535a4 100644
--- a/lib/pleroma/web/pleroma_api/controllers/pleroma_api_controller.ex
+++ b/lib/pleroma/web/pleroma_api/controllers/pleroma_api_controller.ex
@@ -22,7 +22,14 @@ defmodule Pleroma.Web.PleromaAPI.PleromaAPIController do
 
   plug(
     OAuthScopesPlug,
-    %{scopes: ["read:statuses"]} when action in [:conversation, :conversation_statuses]
+    %{scopes: ["read:statuses"]}
+    when action in [:conversation, :conversation_statuses, :emoji_reactions_by]
+  )
+
+  plug(
+    OAuthScopesPlug,
+    %{scopes: ["write:statuses"]}
+    when action in [:react_with_emoji, :unreact_with_emoji]
   )
 
   plug(
diff --git a/lib/pleroma/web/twitter_api/controllers/util_controller.ex b/lib/pleroma/web/twitter_api/controllers/util_controller.ex
index 2305bb413..849783d4a 100644
--- a/lib/pleroma/web/twitter_api/controllers/util_controller.ex
+++ b/lib/pleroma/web/twitter_api/controllers/util_controller.ex
@@ -22,7 +22,14 @@ defmodule Pleroma.Web.TwitterAPI.UtilController do
   plug(
     OAuthScopesPlug,
     %{scopes: ["follow", "write:follows"]}
-    when action in [:do_remote_follow, :follow_import]
+    when action == :follow_import
+  )
+
+  # Note: follower can submit the form (with password auth) not being signed in (having no token)
+  plug(
+    OAuthScopesPlug,
+    %{fallback: :proceed_unauthenticated, scopes: ["follow", "write:follows"]}
+    when action == :do_remote_follow
   )
 
   plug(OAuthScopesPlug, %{scopes: ["follow", "write:blocks"]} when action == :blocks_import)
@@ -112,6 +119,28 @@ defp is_status?(acct) do
     end
   end
 
+  def do_remote_follow(%{assigns: %{user: user}} = conn, %{"user" => %{"id" => id}})
+      when not is_nil(user) do
+    with {:fetch_user, %User{} = followee} <- {:fetch_user, User.get_cached_by_id(id)},
+         {:ok, _follower, _followee, _activity} <- CommonAPI.follow(user, followee) do
+      conn
+      |> render("followed.html", %{error: false})
+    else
+      # Was already following user
+      {:error, "Could not follow user:" <> _rest} ->
+        render(conn, "followed.html", %{error: "Error following account"})
+
+      {:fetch_user, error} ->
+        Logger.debug("Remote follow failed with error #{inspect(error)}")
+        render(conn, "followed.html", %{error: "Could not find user"})
+
+      e ->
+        Logger.debug("Remote follow failed with error #{inspect(e)}")
+        render(conn, "followed.html", %{error: "Something went wrong."})
+    end
+  end
+
+  # Note: "id" is the id of followee user, disregard incorrect placing under "authorization"
   def do_remote_follow(conn, %{
         "authorization" => %{"name" => username, "password" => password, "id" => id}
       }) do
@@ -145,24 +174,12 @@ def do_remote_follow(conn, %{
     end
   end
 
-  def do_remote_follow(%{assigns: %{user: user}} = conn, %{"user" => %{"id" => id}}) do
-    with {:fetch_user, %User{} = followee} <- {:fetch_user, User.get_cached_by_id(id)},
-         {:ok, _follower, _followee, _activity} <- CommonAPI.follow(user, followee) do
-      conn
-      |> render("followed.html", %{error: false})
-    else
-      # Was already following user
-      {:error, "Could not follow user:" <> _rest} ->
-        render(conn, "followed.html", %{error: "Error following account"})
+  def do_remote_follow(%{assigns: %{user: nil}} = conn, _) do
+    render(conn, "followed.html", %{error: "Insufficient permissions: follow | write:follows."})
+  end
 
-      {:fetch_user, error} ->
-        Logger.debug("Remote follow failed with error #{inspect(error)}")
-        render(conn, "followed.html", %{error: "Could not find user"})
-
-      e ->
-        Logger.debug("Remote follow failed with error #{inspect(e)}")
-        render(conn, "followed.html", %{error: "Something went wrong."})
-    end
+  def do_remote_follow(conn, _) do
+    render(conn, "followed.html", %{error: "Something went wrong."})
   end
 
   def notifications_read(%{assigns: %{user: user}} = conn, %{"id" => notification_id}) do
@@ -345,7 +362,9 @@ def change_email(%{assigns: %{user: user}} = conn, params) do
   end
 
   def delete_account(%{assigns: %{user: user}} = conn, params) do
-    case CommonAPI.Utils.confirm_current_password(user, params["password"]) do
+    password = params["password"] || ""
+
+    case CommonAPI.Utils.confirm_current_password(user, password) do
       {:ok, user} ->
         User.delete(user)
         json(conn, %{status: "success"})
diff --git a/test/notification_test.exs b/test/notification_test.exs
index ffa3d4b8c..f5f23bb5a 100644
--- a/test/notification_test.exs
+++ b/test/notification_test.exs
@@ -98,7 +98,7 @@ test "it creates a notification for user if the user blocks the activity author"
       assert Notification.create_notification(activity, user)
     end
 
-    test "it creates a notificatin for the user if the user mutes the activity author" do
+    test "it creates a notification for the user if the user mutes the activity author" do
       muter = insert(:user)
       muted = insert(:user)
       {:ok, _} = User.mute(muter, muted)
diff --git a/test/plugs/oauth_scopes_plug_test.exs b/test/plugs/oauth_scopes_plug_test.exs
index 89f32f43a..ce426677b 100644
--- a/test/plugs/oauth_scopes_plug_test.exs
+++ b/test/plugs/oauth_scopes_plug_test.exs
@@ -16,34 +16,6 @@ defmodule Pleroma.Plugs.OAuthScopesPlugTest do
     :ok
   end
 
-  describe "when `assigns[:token]` is nil, " do
-    test "with :skip_instance_privacy_check option, proceeds with no op", %{conn: conn} do
-      conn =
-        conn
-        |> assign(:user, insert(:user))
-        |> OAuthScopesPlug.call(%{scopes: ["read"], skip_instance_privacy_check: true})
-
-      refute conn.halted
-      assert conn.assigns[:user]
-
-      refute called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
-    end
-
-    test "without :skip_instance_privacy_check option, calls EnsurePublicOrAuthenticatedPlug", %{
-      conn: conn
-    } do
-      conn =
-        conn
-        |> assign(:user, insert(:user))
-        |> OAuthScopesPlug.call(%{scopes: ["read"]})
-
-      refute conn.halted
-      assert conn.assigns[:user]
-
-      assert called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
-    end
-  end
-
   test "if `token.scopes` fulfills specified 'any of' conditions, " <>
          "proceeds with no op",
        %{conn: conn} do
@@ -75,64 +47,56 @@ test "if `token.scopes` fulfills specified 'all of' conditions, " <>
   end
 
   describe "with `fallback: :proceed_unauthenticated` option, " do
-    test "if `token.scopes` doesn't fulfill specified 'any of' conditions, " <>
-           "clears `assigns[:user]` and calls EnsurePublicOrAuthenticatedPlug",
+    test "if `token.scopes` doesn't fulfill specified conditions, " <>
+           "clears :user and :token assigns and calls EnsurePublicOrAuthenticatedPlug",
          %{conn: conn} do
-      token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
+      user = insert(:user)
+      token1 = insert(:oauth_token, scopes: ["read", "write"], user: user)
 
-      conn =
-        conn
-        |> assign(:user, token.user)
-        |> assign(:token, token)
-        |> OAuthScopesPlug.call(%{scopes: ["follow"], fallback: :proceed_unauthenticated})
+      for token <- [token1, nil], op <- [:|, :&] do
+        ret_conn =
+          conn
+          |> assign(:user, user)
+          |> assign(:token, token)
+          |> OAuthScopesPlug.call(%{
+            scopes: ["follow"],
+            op: op,
+            fallback: :proceed_unauthenticated
+          })
 
-      refute conn.halted
-      refute conn.assigns[:user]
+        refute ret_conn.halted
+        refute ret_conn.assigns[:user]
+        refute ret_conn.assigns[:token]
 
-      assert called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
-    end
-
-    test "if `token.scopes` doesn't fulfill specified 'all of' conditions, " <>
-           "clears `assigns[:user] and calls EnsurePublicOrAuthenticatedPlug",
-         %{conn: conn} do
-      token = insert(:oauth_token, scopes: ["read", "write"]) |> Repo.preload(:user)
-
-      conn =
-        conn
-        |> assign(:user, token.user)
-        |> assign(:token, token)
-        |> OAuthScopesPlug.call(%{
-          scopes: ["read", "follow"],
-          op: :&,
-          fallback: :proceed_unauthenticated
-        })
-
-      refute conn.halted
-      refute conn.assigns[:user]
-
-      assert called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
+        assert called(EnsurePublicOrAuthenticatedPlug.call(ret_conn, :_))
+      end
     end
 
     test "with :skip_instance_privacy_check option, " <>
            "if `token.scopes` doesn't fulfill specified conditions, " <>
-           "clears `assigns[:user]` and does not call EnsurePublicOrAuthenticatedPlug",
+           "clears :user and :token assigns and does NOT call EnsurePublicOrAuthenticatedPlug",
          %{conn: conn} do
-      token = insert(:oauth_token, scopes: ["read:statuses", "write"]) |> Repo.preload(:user)
+      user = insert(:user)
+      token1 = insert(:oauth_token, scopes: ["read:statuses", "write"], user: user)
 
-      conn =
-        conn
-        |> assign(:user, token.user)
-        |> assign(:token, token)
-        |> OAuthScopesPlug.call(%{
-          scopes: ["read"],
-          fallback: :proceed_unauthenticated,
-          skip_instance_privacy_check: true
-        })
+      for token <- [token1, nil], op <- [:|, :&] do
+        ret_conn =
+          conn
+          |> assign(:user, user)
+          |> assign(:token, token)
+          |> OAuthScopesPlug.call(%{
+            scopes: ["read"],
+            op: op,
+            fallback: :proceed_unauthenticated,
+            skip_instance_privacy_check: true
+          })
 
-      refute conn.halted
-      refute conn.assigns[:user]
+        refute ret_conn.halted
+        refute ret_conn.assigns[:user]
+        refute ret_conn.assigns[:token]
 
-      refute called(EnsurePublicOrAuthenticatedPlug.call(conn, :_))
+        refute called(EnsurePublicOrAuthenticatedPlug.call(ret_conn, :_))
+      end
     end
   end
 
@@ -140,39 +104,42 @@ test "with :skip_instance_privacy_check option, " <>
     test "if `token.scopes` does not fulfill specified 'any of' conditions, " <>
            "returns 403 and halts",
          %{conn: conn} do
-      token = insert(:oauth_token, scopes: ["read", "write"])
-      any_of_scopes = ["follow"]
+      for token <- [insert(:oauth_token, scopes: ["read", "write"]), nil] do
+        any_of_scopes = ["follow", "push"]
 
-      conn =
-        conn
-        |> assign(:token, token)
-        |> OAuthScopesPlug.call(%{scopes: any_of_scopes})
+        ret_conn =
+          conn
+          |> assign(:token, token)
+          |> OAuthScopesPlug.call(%{scopes: any_of_scopes})
 
-      assert conn.halted
-      assert 403 == conn.status
+        assert ret_conn.halted
+        assert 403 == ret_conn.status
 
-      expected_error = "Insufficient permissions: #{Enum.join(any_of_scopes, ", ")}."
-      assert Jason.encode!(%{error: expected_error}) == conn.resp_body
+        expected_error = "Insufficient permissions: #{Enum.join(any_of_scopes, " | ")}."
+        assert Jason.encode!(%{error: expected_error}) == ret_conn.resp_body
+      end
     end
 
     test "if `token.scopes` does not fulfill specified 'all of' conditions, " <>
            "returns 403 and halts",
          %{conn: conn} do
-      token = insert(:oauth_token, scopes: ["read", "write"])
-      all_of_scopes = ["write", "follow"]
+      for token <- [insert(:oauth_token, scopes: ["read", "write"]), nil] do
+        token_scopes = (token && token.scopes) || []
+        all_of_scopes = ["write", "follow"]
 
-      conn =
-        conn
-        |> assign(:token, token)
-        |> OAuthScopesPlug.call(%{scopes: all_of_scopes, op: :&})
+        conn =
+          conn
+          |> assign(:token, token)
+          |> OAuthScopesPlug.call(%{scopes: all_of_scopes, op: :&})
 
-      assert conn.halted
-      assert 403 == conn.status
+        assert conn.halted
+        assert 403 == conn.status
 
-      expected_error =
-        "Insufficient permissions: #{Enum.join(all_of_scopes -- token.scopes, ", ")}."
+        expected_error =
+          "Insufficient permissions: #{Enum.join(all_of_scopes -- token_scopes, " & ")}."
 
-      assert Jason.encode!(%{error: expected_error}) == conn.resp_body
+        assert Jason.encode!(%{error: expected_error}) == conn.resp_body
+      end
     end
   end
 
diff --git a/test/support/conn_case.ex b/test/support/conn_case.ex
index 9897f72ce..95bc2492a 100644
--- a/test/support/conn_case.ex
+++ b/test/support/conn_case.ex
@@ -28,6 +28,26 @@ defmodule Pleroma.Web.ConnCase do
 
       # The default endpoint for testing
       @endpoint Pleroma.Web.Endpoint
+
+      # Sets up OAuth access with specified scopes
+      defp oauth_access(scopes, opts \\ %{}) do
+        user =
+          Map.get_lazy(opts, :user, fn ->
+            Pleroma.Factory.insert(:user)
+          end)
+
+        token =
+          Map.get_lazy(opts, :oauth_token, fn ->
+            Pleroma.Factory.insert(:oauth_token, user: user, scopes: scopes)
+          end)
+
+        conn =
+          build_conn()
+          |> assign(:user, user)
+          |> assign(:token, token)
+
+        %{user: user, token: token, conn: conn}
+      end
     end
   end
 
diff --git a/test/support/factory.ex b/test/support/factory.ex
index 314f26ec9..100864055 100644
--- a/test/support/factory.ex
+++ b/test/support/factory.ex
@@ -296,7 +296,7 @@ def oauth_app_factory do
     %Pleroma.Web.OAuth.App{
       client_name: "Some client",
       redirect_uris: "https://example.com/callback",
-      scopes: ["read", "write", "follow", "push"],
+      scopes: ["read", "write", "follow", "push", "admin"],
       website: "https://example.com",
       client_id: Ecto.UUID.generate(),
       client_secret: "aaa;/&bbb"
@@ -310,19 +310,37 @@ def instance_factory do
     }
   end
 
-  def oauth_token_factory do
-    oauth_app = insert(:oauth_app)
+  def oauth_token_factory(attrs \\ %{}) do
+    scopes = Map.get(attrs, :scopes, ["read"])
+    oauth_app = Map.get_lazy(attrs, :app, fn -> insert(:oauth_app, scopes: scopes) end)
+    user = Map.get_lazy(attrs, :user, fn -> build(:user) end)
+
+    valid_until =
+      Map.get(attrs, :valid_until, NaiveDateTime.add(NaiveDateTime.utc_now(), 60 * 10))
 
     %Pleroma.Web.OAuth.Token{
       token: :crypto.strong_rand_bytes(32) |> Base.url_encode64(),
-      scopes: ["read"],
       refresh_token: :crypto.strong_rand_bytes(32) |> Base.url_encode64(),
-      user: build(:user),
-      app_id: oauth_app.id,
-      valid_until: NaiveDateTime.add(NaiveDateTime.utc_now(), 60 * 10)
+      scopes: scopes,
+      user: user,
+      app: oauth_app,
+      valid_until: valid_until
     }
   end
 
+  def oauth_admin_token_factory(attrs \\ %{}) do
+    user = Map.get_lazy(attrs, :user, fn -> build(:user, is_admin: true) end)
+
+    scopes =
+      attrs
+      |> Map.get(:scopes, ["admin"])
+      |> Kernel.++(["admin"])
+      |> Enum.uniq()
+
+    attrs = Map.merge(attrs, %{user: user, scopes: scopes})
+    oauth_token_factory(attrs)
+  end
+
   def oauth_authorization_factory do
     %Pleroma.Web.OAuth.Authorization{
       token: :crypto.strong_rand_bytes(32) |> Base.url_encode64(padding: false),
diff --git a/test/web/admin_api/admin_api_controller_test.exs b/test/web/admin_api/admin_api_controller_test.exs
index 49ff005b6..a3fbb6041 100644
--- a/test/web/admin_api/admin_api_controller_test.exs
+++ b/test/web/admin_api/admin_api_controller_test.exs
@@ -26,8 +26,16 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
     :ok
   end
 
-  clear_config([:auth, :enforce_oauth_admin_scope_usage]) do
-    Pleroma.Config.put([:auth, :enforce_oauth_admin_scope_usage], false)
+  setup do
+    admin = insert(:user, is_admin: true)
+    token = insert(:oauth_admin_token, user: admin)
+
+    conn =
+      build_conn()
+      |> assign(:user, admin)
+      |> assign(:token, token)
+
+    {:ok, %{admin: admin, token: token, conn: conn}}
   end
 
   describe "with [:auth, :enforce_oauth_admin_scope_usage]," do
@@ -35,9 +43,9 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
       Pleroma.Config.put([:auth, :enforce_oauth_admin_scope_usage], true)
     end
 
-    test "GET /api/pleroma/admin/users/:nickname requires admin:read:accounts or broader scope" do
+    test "GET /api/pleroma/admin/users/:nickname requires admin:read:accounts or broader scope",
+         %{admin: admin} do
       user = insert(:user)
-      admin = insert(:user, is_admin: true)
       url = "/api/pleroma/admin/users/#{user.nickname}"
 
       good_token1 = insert(:oauth_token, user: admin, scopes: ["admin"])
@@ -80,14 +88,67 @@ test "GET /api/pleroma/admin/users/:nickname requires admin:read:accounts or bro
     end
   end
 
+  describe "unless [:auth, :enforce_oauth_admin_scope_usage]," do
+    clear_config([:auth, :enforce_oauth_admin_scope_usage]) do
+      Pleroma.Config.put([:auth, :enforce_oauth_admin_scope_usage], false)
+    end
+
+    test "GET /api/pleroma/admin/users/:nickname requires " <>
+           "read:accounts or admin:read:accounts or broader scope",
+         %{admin: admin} do
+      user = insert(:user)
+      url = "/api/pleroma/admin/users/#{user.nickname}"
+
+      good_token1 = insert(:oauth_token, user: admin, scopes: ["admin"])
+      good_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read"])
+      good_token3 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts"])
+      good_token4 = insert(:oauth_token, user: admin, scopes: ["read:accounts"])
+      good_token5 = insert(:oauth_token, user: admin, scopes: ["read"])
+
+      good_tokens = [good_token1, good_token2, good_token3, good_token4, good_token5]
+
+      bad_token1 = insert(:oauth_token, user: admin, scopes: ["read:accounts:partial"])
+      bad_token2 = insert(:oauth_token, user: admin, scopes: ["admin:read:accounts:partial"])
+      bad_token3 = nil
+
+      for good_token <- good_tokens do
+        conn =
+          build_conn()
+          |> assign(:user, admin)
+          |> assign(:token, good_token)
+          |> get(url)
+
+        assert json_response(conn, 200)
+      end
+
+      for good_token <- good_tokens do
+        conn =
+          build_conn()
+          |> assign(:user, nil)
+          |> assign(:token, good_token)
+          |> get(url)
+
+        assert json_response(conn, :forbidden)
+      end
+
+      for bad_token <- [bad_token1, bad_token2, bad_token3] do
+        conn =
+          build_conn()
+          |> assign(:user, admin)
+          |> assign(:token, bad_token)
+          |> get(url)
+
+        assert json_response(conn, :forbidden)
+      end
+    end
+  end
+
   describe "DELETE /api/pleroma/admin/users" do
-    test "single user" do
-      admin = insert(:user, is_admin: true)
+    test "single user", %{admin: admin, conn: conn} do
       user = insert(:user)
 
       conn =
-        build_conn()
-        |> assign(:user, admin)
+        conn
         |> put_req_header("accept", "application/json")
         |> delete("/api/pleroma/admin/users?nickname=#{user.nickname}")
 
@@ -99,14 +160,12 @@ test "single user" do
       assert json_response(conn, 200) == user.nickname
     end
 
-    test "multiple users" do
-      admin = insert(:user, is_admin: true)
+    test "multiple users", %{admin: admin, conn: conn} do
       user_one = insert(:user)
       user_two = insert(:user)
 
       conn =
-        build_conn()
-        |> assign(:user, admin)
+        conn
         |> put_req_header("accept", "application/json")
         |> delete("/api/pleroma/admin/users", %{
           nicknames: [user_one.nickname, user_two.nickname]
@@ -123,12 +182,9 @@ test "multiple users" do
   end
 
   describe "/api/pleroma/admin/users" do
-    test "Create" do
-      admin = insert(:user, is_admin: true)
-
+    test "Create", %{conn: conn} do
       conn =
-        build_conn()
-        |> assign(:user, admin)
+        conn
         |> put_req_header("accept", "application/json")
         |> post("/api/pleroma/admin/users", %{
           "users" => [
@@ -153,13 +209,11 @@ test "Create" do
       assert ["lain", "lain2"] -- Enum.map(log_entry.data["subjects"], & &1["nickname"]) == []
     end
 
-    test "Cannot create user with existing email" do
-      admin = insert(:user, is_admin: true)
+    test "Cannot create user with existing email", %{conn: conn} do
       user = insert(:user)
 
       conn =
-        build_conn()
-        |> assign(:user, admin)
+        conn
         |> put_req_header("accept", "application/json")
         |> post("/api/pleroma/admin/users", %{
           "users" => [
@@ -184,13 +238,11 @@ test "Cannot create user with existing email" do
              ]
     end
 
-    test "Cannot create user with existing nickname" do
-      admin = insert(:user, is_admin: true)
+    test "Cannot create user with existing nickname", %{conn: conn} do
       user = insert(:user)
 
       conn =
-        build_conn()
-        |> assign(:user, admin)
+        conn
         |> put_req_header("accept", "application/json")
         |> post("/api/pleroma/admin/users", %{
           "users" => [
@@ -215,13 +267,11 @@ test "Cannot create user with existing nickname" do
              ]
     end
 
-    test "Multiple user creation works in transaction" do
-      admin = insert(:user, is_admin: true)
+    test "Multiple user creation works in transaction", %{conn: conn} do
       user = insert(:user)
 
       conn =
-        build_conn()
-        |> assign(:user, admin)
+        conn
         |> put_req_header("accept", "application/json")
         |> post("/api/pleroma/admin/users", %{
           "users" => [
@@ -265,13 +315,9 @@ test "Multiple user creation works in transaction" do
 
   describe "/api/pleroma/admin/users/:nickname" do
     test "Show", %{conn: conn} do
-      admin = insert(:user, is_admin: true)
       user = insert(:user)
 
-      conn =
-        conn
-        |> assign(:user, admin)
-        |> get("/api/pleroma/admin/users/#{user.nickname}")
+      conn = get(conn, "/api/pleroma/admin/users/#{user.nickname}")
 
       expected = %{
         "deactivated" => false,
@@ -289,26 +335,20 @@ test "Show", %{conn: conn} do
     end
 
     test "when the user doesn't exist", %{conn: conn} do
-      admin = insert(:user, is_admin: true)
       user = build(:user)
 
-      conn =
-        conn
-        |> assign(:user, admin)
-        |> get("/api/pleroma/admin/users/#{user.nickname}")
+      conn = get(conn, "/api/pleroma/admin/users/#{user.nickname}")
 
       assert "Not found" == json_response(conn, 404)
     end
   end
 
   describe "/api/pleroma/admin/users/follow" do
-    test "allows to force-follow another user" do
-      admin = insert(:user, is_admin: true)
+    test "allows to force-follow another user", %{admin: admin, conn: conn} do
       user = insert(:user)
       follower = insert(:user)
 
-      build_conn()
-      |> assign(:user, admin)
+      conn
       |> put_req_header("accept", "application/json")
       |> post("/api/pleroma/admin/users/follow", %{
         "follower" => follower.nickname,
@@ -328,15 +368,13 @@ test "allows to force-follow another user" do
   end
 
   describe "/api/pleroma/admin/users/unfollow" do
-    test "allows to force-unfollow another user" do
-      admin = insert(:user, is_admin: true)
+    test "allows to force-unfollow another user", %{admin: admin, conn: conn} do
       user = insert(:user)
       follower = insert(:user)
 
       User.follow(follower, user)
 
-      build_conn()
-      |> assign(:user, admin)
+      conn
       |> put_req_header("accept", "application/json")
       |> post("/api/pleroma/admin/users/unfollow", %{
         "follower" => follower.nickname,
@@ -356,23 +394,20 @@ test "allows to force-unfollow another user" do
   end
 
   describe "PUT /api/pleroma/admin/users/tag" do
-    setup do
-      admin = insert(:user, is_admin: true)
+    setup %{conn: conn} do
       user1 = insert(:user, %{tags: ["x"]})
       user2 = insert(:user, %{tags: ["y"]})
       user3 = insert(:user, %{tags: ["unchanged"]})
 
       conn =
-        build_conn()
-        |> assign(:user, admin)
+        conn
         |> put_req_header("accept", "application/json")
         |> put(
-          "/api/pleroma/admin/users/tag?nicknames[]=#{user1.nickname}&nicknames[]=#{
-            user2.nickname
-          }&tags[]=foo&tags[]=bar"
+          "/api/pleroma/admin/users/tag?nicknames[]=#{user1.nickname}&nicknames[]=" <>
+            "#{user2.nickname}&tags[]=foo&tags[]=bar"
         )
 
-      %{conn: conn, admin: admin, user1: user1, user2: user2, user3: user3}
+      %{conn: conn, user1: user1, user2: user2, user3: user3}
     end
 
     test "it appends specified tags to users with specified nicknames", %{
@@ -405,23 +440,20 @@ test "it does not modify tags of not specified users", %{conn: conn, user3: user
   end
 
   describe "DELETE /api/pleroma/admin/users/tag" do
-    setup do
-      admin = insert(:user, is_admin: true)
+    setup %{conn: conn} do
       user1 = insert(:user, %{tags: ["x"]})
       user2 = insert(:user, %{tags: ["y", "z"]})
       user3 = insert(:user, %{tags: ["unchanged"]})
 
       conn =
-        build_conn()
-        |> assign(:user, admin)
+        conn
         |> put_req_header("accept", "application/json")
         |> delete(
-          "/api/pleroma/admin/users/tag?nicknames[]=#{user1.nickname}&nicknames[]=#{
-            user2.nickname
-          }&tags[]=x&tags[]=z"
+          "/api/pleroma/admin/users/tag?nicknames[]=#{user1.nickname}&nicknames[]=" <>
+            "#{user2.nickname}&tags[]=x&tags[]=z"
         )
 
-      %{conn: conn, admin: admin, user1: user1, user2: user2, user3: user3}
+      %{conn: conn, user1: user1, user2: user2, user3: user3}
     end
 
     test "it removes specified tags from users with specified nicknames", %{
@@ -454,12 +486,9 @@ test "it does not modify tags of not specified users", %{conn: conn, user3: user
   end
 
   describe "/api/pleroma/admin/users/:nickname/permission_group" do
-    test "GET is giving user_info" do
-      admin = insert(:user, is_admin: true)
-
+    test "GET is giving user_info", %{admin: admin, conn: conn} do
       conn =
-        build_conn()
-        |> assign(:user, admin)
+        conn
         |> put_req_header("accept", "application/json")
         |> get("/api/pleroma/admin/users/#{admin.nickname}/permission_group/")
 
@@ -469,13 +498,11 @@ test "GET is giving user_info" do
              }
     end
 
-    test "/:right POST, can add to a permission group" do
-      admin = insert(:user, is_admin: true)
+    test "/:right POST, can add to a permission group", %{admin: admin, conn: conn} do
       user = insert(:user)
 
       conn =
-        build_conn()
-        |> assign(:user, admin)
+        conn
         |> put_req_header("accept", "application/json")
         |> post("/api/pleroma/admin/users/#{user.nickname}/permission_group/admin")
 
@@ -489,22 +516,18 @@ test "/:right POST, can add to a permission group" do
                "@#{admin.nickname} made @#{user.nickname} admin"
     end
 
-    test "/:right POST, can add to a permission group (multiple)" do
-      admin = insert(:user, is_admin: true)
+    test "/:right POST, can add to a permission group (multiple)", %{admin: admin, conn: conn} do
       user_one = insert(:user)
       user_two = insert(:user)
 
       conn =
-        build_conn()
-        |> assign(:user, admin)
+        conn
         |> put_req_header("accept", "application/json")
         |> post("/api/pleroma/admin/users/permission_group/admin", %{
           nicknames: [user_one.nickname, user_two.nickname]
         })
 
-      assert json_response(conn, 200) == %{
-               "is_admin" => true
-             }
+      assert json_response(conn, 200) == %{"is_admin" => true}
 
       log_entry = Repo.one(ModerationLog)
 
@@ -512,19 +535,15 @@ test "/:right POST, can add to a permission group (multiple)" do
                "@#{admin.nickname} made @#{user_one.nickname}, @#{user_two.nickname} admin"
     end
 
-    test "/:right DELETE, can remove from a permission group" do
-      admin = insert(:user, is_admin: true)
+    test "/:right DELETE, can remove from a permission group", %{admin: admin, conn: conn} do
       user = insert(:user, is_admin: true)
 
       conn =
-        build_conn()
-        |> assign(:user, admin)
+        conn
         |> put_req_header("accept", "application/json")
         |> delete("/api/pleroma/admin/users/#{user.nickname}/permission_group/admin")
 
-      assert json_response(conn, 200) == %{
-               "is_admin" => false
-             }
+      assert json_response(conn, 200) == %{"is_admin" => false}
 
       log_entry = Repo.one(ModerationLog)
 
@@ -532,22 +551,21 @@ test "/:right DELETE, can remove from a permission group" do
                "@#{admin.nickname} revoked admin role from @#{user.nickname}"
     end
 
-    test "/:right DELETE, can remove from a permission group (multiple)" do
-      admin = insert(:user, is_admin: true)
+    test "/:right DELETE, can remove from a permission group (multiple)", %{
+      admin: admin,
+      conn: conn
+    } do
       user_one = insert(:user, is_admin: true)
       user_two = insert(:user, is_admin: true)
 
       conn =
-        build_conn()
-        |> assign(:user, admin)
+        conn
         |> put_req_header("accept", "application/json")
         |> delete("/api/pleroma/admin/users/permission_group/admin", %{
           nicknames: [user_one.nickname, user_two.nickname]
         })
 
-      assert json_response(conn, 200) == %{
-               "is_admin" => false
-             }
+      assert json_response(conn, 200) == %{"is_admin" => false}
 
       log_entry = Repo.one(ModerationLog)
 
@@ -559,10 +577,6 @@ test "/:right DELETE, can remove from a permission group (multiple)" do
   end
 
   describe "POST /api/pleroma/admin/email_invite, with valid config" do
-    setup do
-      [user: insert(:user, is_admin: true)]
-    end
-
     clear_config([:instance, :registrations_open]) do
       Pleroma.Config.put([:instance, :registrations_open], false)
     end
@@ -571,14 +585,13 @@ test "/:right DELETE, can remove from a permission group (multiple)" do
       Pleroma.Config.put([:instance, :invites_enabled], true)
     end
 
-    test "sends invitation and returns 204", %{conn: conn, user: user} do
+    test "sends invitation and returns 204", %{admin: admin, conn: conn} do
       recipient_email = "foo@bar.com"
       recipient_name = "J. D."
 
       conn =
-        conn
-        |> assign(:user, user)
-        |> post(
+        post(
+          conn,
           "/api/pleroma/admin/users/email_invite?email=#{recipient_email}&name=#{recipient_name}"
         )
 
@@ -593,7 +606,7 @@ test "sends invitation and returns 204", %{conn: conn, user: user} do
 
       email =
         Pleroma.Emails.UserEmail.user_invitation_email(
-          user,
+          admin,
           token_record,
           recipient_email,
           recipient_name
@@ -606,12 +619,14 @@ test "sends invitation and returns 204", %{conn: conn, user: user} do
       )
     end
 
-    test "it returns 403 if requested by a non-admin", %{conn: conn} do
+    test "it returns 403 if requested by a non-admin" do
       non_admin_user = insert(:user)
+      token = insert(:oauth_token, user: non_admin_user)
 
       conn =
-        conn
+        build_conn()
         |> assign(:user, non_admin_user)
+        |> assign(:token, token)
         |> post("/api/pleroma/admin/users/email_invite?email=foo@bar.com&name=JD")
 
       assert json_response(conn, :forbidden)
@@ -619,45 +634,33 @@ test "it returns 403 if requested by a non-admin", %{conn: conn} do
   end
 
   describe "POST /api/pleroma/admin/users/email_invite, with invalid config" do
-    setup do
-      [user: insert(:user, is_admin: true)]
-    end
-
     clear_config([:instance, :registrations_open])
     clear_config([:instance, :invites_enabled])
 
-    test "it returns 500 if `invites_enabled` is not enabled", %{conn: conn, user: user} do
+    test "it returns 500 if `invites_enabled` is not enabled", %{conn: conn} do
       Pleroma.Config.put([:instance, :registrations_open], false)
       Pleroma.Config.put([:instance, :invites_enabled], false)
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/pleroma/admin/users/email_invite?email=foo@bar.com&name=JD")
+      conn = post(conn, "/api/pleroma/admin/users/email_invite?email=foo@bar.com&name=JD")
 
       assert json_response(conn, :internal_server_error)
     end
 
-    test "it returns 500 if `registrations_open` is enabled", %{conn: conn, user: user} do
+    test "it returns 500 if `registrations_open` is enabled", %{conn: conn} do
       Pleroma.Config.put([:instance, :registrations_open], true)
       Pleroma.Config.put([:instance, :invites_enabled], true)
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/pleroma/admin/users/email_invite?email=foo@bar.com&name=JD")
+      conn = post(conn, "/api/pleroma/admin/users/email_invite?email=foo@bar.com&name=JD")
 
       assert json_response(conn, :internal_server_error)
     end
   end
 
-  test "/api/pleroma/admin/users/:nickname/password_reset" do
-    admin = insert(:user, is_admin: true)
+  test "/api/pleroma/admin/users/:nickname/password_reset", %{conn: conn} do
     user = insert(:user)
 
     conn =
-      build_conn()
-      |> assign(:user, admin)
+      conn
       |> put_req_header("accept", "application/json")
       |> get("/api/pleroma/admin/users/#{user.nickname}/password_reset")
 
@@ -667,16 +670,6 @@ test "/api/pleroma/admin/users/:nickname/password_reset" do
   end
 
   describe "GET /api/pleroma/admin/users" do
-    setup do
-      admin = insert(:user, is_admin: true)
-
-      conn =
-        build_conn()
-        |> assign(:user, admin)
-
-      {:ok, conn: conn, admin: admin}
-    end
-
     test "renders users array for the first page", %{conn: conn, admin: admin} do
       user = insert(:user, local: false, tags: ["foo", "bar"])
       conn = get(conn, "/api/pleroma/admin/users?page=1")
@@ -898,6 +891,7 @@ test "regular search with page size", %{conn: conn} do
 
     test "only local users" do
       admin = insert(:user, is_admin: true, nickname: "john")
+      token = insert(:oauth_admin_token, user: admin)
       user = insert(:user, nickname: "bob")
 
       insert(:user, nickname: "bobb", local: false)
@@ -905,6 +899,7 @@ test "only local users" do
       conn =
         build_conn()
         |> assign(:user, admin)
+        |> assign(:token, token)
         |> get("/api/pleroma/admin/users?query=bo&filters=local")
 
       assert json_response(conn, 200) == %{
@@ -926,16 +921,13 @@ test "only local users" do
              }
     end
 
-    test "only local users with no query", %{admin: old_admin} do
+    test "only local users with no query", %{conn: conn, admin: old_admin} do
       admin = insert(:user, is_admin: true, nickname: "john")
       user = insert(:user, nickname: "bob")
 
       insert(:user, nickname: "bobb", local: false)
 
-      conn =
-        build_conn()
-        |> assign(:user, admin)
-        |> get("/api/pleroma/admin/users?filters=local")
+      conn = get(conn, "/api/pleroma/admin/users?filters=local")
 
       users =
         [
@@ -1093,6 +1085,7 @@ test "load users with tags list", %{conn: conn} do
 
     test "it works with multiple filters" do
       admin = insert(:user, nickname: "john", is_admin: true)
+      token = insert(:oauth_admin_token, user: admin)
       user = insert(:user, nickname: "bob", local: false, deactivated: true)
 
       insert(:user, nickname: "ken", local: true, deactivated: true)
@@ -1101,6 +1094,7 @@ test "it works with multiple filters" do
       conn =
         build_conn()
         |> assign(:user, admin)
+        |> assign(:token, token)
         |> get("/api/pleroma/admin/users?filters=deactivated,external")
 
       assert json_response(conn, 200) == %{
@@ -1122,13 +1116,10 @@ test "it works with multiple filters" do
              }
     end
 
-    test "it omits relay user", %{admin: admin} do
+    test "it omits relay user", %{admin: admin, conn: conn} do
       assert %User{} = Relay.get_actor()
 
-      conn =
-        build_conn()
-        |> assign(:user, admin)
-        |> get("/api/pleroma/admin/users")
+      conn = get(conn, "/api/pleroma/admin/users")
 
       assert json_response(conn, 200) == %{
                "count" => 1,
@@ -1150,15 +1141,13 @@ test "it omits relay user", %{admin: admin} do
     end
   end
 
-  test "PATCH /api/pleroma/admin/users/activate" do
-    admin = insert(:user, is_admin: true)
+  test "PATCH /api/pleroma/admin/users/activate", %{admin: admin, conn: conn} do
     user_one = insert(:user, deactivated: true)
     user_two = insert(:user, deactivated: true)
 
     conn =
-      build_conn()
-      |> assign(:user, admin)
-      |> patch(
+      patch(
+        conn,
         "/api/pleroma/admin/users/activate",
         %{nicknames: [user_one.nickname, user_two.nickname]}
       )
@@ -1172,15 +1161,13 @@ test "PATCH /api/pleroma/admin/users/activate" do
              "@#{admin.nickname} activated users: @#{user_one.nickname}, @#{user_two.nickname}"
   end
 
-  test "PATCH /api/pleroma/admin/users/deactivate" do
-    admin = insert(:user, is_admin: true)
+  test "PATCH /api/pleroma/admin/users/deactivate", %{admin: admin, conn: conn} do
     user_one = insert(:user, deactivated: false)
     user_two = insert(:user, deactivated: false)
 
     conn =
-      build_conn()
-      |> assign(:user, admin)
-      |> patch(
+      patch(
+        conn,
         "/api/pleroma/admin/users/deactivate",
         %{nicknames: [user_one.nickname, user_two.nickname]}
       )
@@ -1194,14 +1181,10 @@ test "PATCH /api/pleroma/admin/users/deactivate" do
              "@#{admin.nickname} deactivated users: @#{user_one.nickname}, @#{user_two.nickname}"
   end
 
-  test "PATCH /api/pleroma/admin/users/:nickname/toggle_activation" do
-    admin = insert(:user, is_admin: true)
+  test "PATCH /api/pleroma/admin/users/:nickname/toggle_activation", %{admin: admin, conn: conn} do
     user = insert(:user)
 
-    conn =
-      build_conn()
-      |> assign(:user, admin)
-      |> patch("/api/pleroma/admin/users/#{user.nickname}/toggle_activation")
+    conn = patch(conn, "/api/pleroma/admin/users/#{user.nickname}/toggle_activation")
 
     assert json_response(conn, 200) ==
              %{
@@ -1223,16 +1206,6 @@ test "PATCH /api/pleroma/admin/users/:nickname/toggle_activation" do
   end
 
   describe "POST /api/pleroma/admin/users/invite_token" do
-    setup do
-      admin = insert(:user, is_admin: true)
-
-      conn =
-        build_conn()
-        |> assign(:user, admin)
-
-      {:ok, conn: conn}
-    end
-
     test "without options", %{conn: conn} do
       conn = post(conn, "/api/pleroma/admin/users/invite_token")
 
@@ -1287,16 +1260,6 @@ test "with max use and expires_at", %{conn: conn} do
   end
 
   describe "GET /api/pleroma/admin/users/invites" do
-    setup do
-      admin = insert(:user, is_admin: true)
-
-      conn =
-        build_conn()
-        |> assign(:user, admin)
-
-      {:ok, conn: conn}
-    end
-
     test "no invites", %{conn: conn} do
       conn = get(conn, "/api/pleroma/admin/users/invites")
 
@@ -1325,14 +1288,10 @@ test "with invite", %{conn: conn} do
   end
 
   describe "POST /api/pleroma/admin/users/revoke_invite" do
-    test "with token" do
-      admin = insert(:user, is_admin: true)
+    test "with token", %{conn: conn} do
       {:ok, invite} = UserInviteToken.create_invite()
 
-      conn =
-        build_conn()
-        |> assign(:user, admin)
-        |> post("/api/pleroma/admin/users/revoke_invite", %{"token" => invite.token})
+      conn = post(conn, "/api/pleroma/admin/users/revoke_invite", %{"token" => invite.token})
 
       assert json_response(conn, 200) == %{
                "expires_at" => nil,
@@ -1345,25 +1304,14 @@ test "with token" do
              }
     end
 
-    test "with invalid token" do
-      admin = insert(:user, is_admin: true)
-
-      conn =
-        build_conn()
-        |> assign(:user, admin)
-        |> post("/api/pleroma/admin/users/revoke_invite", %{"token" => "foo"})
+    test "with invalid token", %{conn: conn} do
+      conn = post(conn, "/api/pleroma/admin/users/revoke_invite", %{"token" => "foo"})
 
       assert json_response(conn, :not_found) == "Not found"
     end
   end
 
   describe "GET /api/pleroma/admin/reports/:id" do
-    setup %{conn: conn} do
-      admin = insert(:user, is_admin: true)
-
-      %{conn: assign(conn, :user, admin)}
-    end
-
     test "returns report by its id", %{conn: conn} do
       [reporter, target_user] = insert_pair(:user)
       activity = insert(:note_activity, user: target_user)
@@ -1391,8 +1339,7 @@ test "returns 404 when report id is invalid", %{conn: conn} do
   end
 
   describe "PATCH /api/pleroma/admin/reports" do
-    setup %{conn: conn} do
-      admin = insert(:user, is_admin: true)
+    setup do
       [reporter, target_user] = insert_pair(:user)
       activity = insert(:note_activity, user: target_user)
 
@@ -1411,9 +1358,7 @@ test "returns 404 when report id is invalid", %{conn: conn} do
         })
 
       %{
-        conn: assign(conn, :user, admin),
         id: report_id,
-        admin: admin,
         second_report_id: second_report_id
       }
     end
@@ -1509,12 +1454,6 @@ test "updates state of multiple reports", %{
   end
 
   describe "GET /api/pleroma/admin/reports" do
-    setup %{conn: conn} do
-      admin = insert(:user, is_admin: true)
-
-      %{conn: assign(conn, :user, admin)}
-    end
-
     test "returns empty response when no reports created", %{conn: conn} do
       response =
         conn
@@ -1609,10 +1548,12 @@ test "returns reports with specified state", %{conn: conn} do
 
     test "returns 403 when requested by a non-admin" do
       user = insert(:user)
+      token = insert(:oauth_token, user: user)
 
       conn =
         build_conn()
         |> assign(:user, user)
+        |> assign(:token, token)
         |> get("/api/pleroma/admin/reports")
 
       assert json_response(conn, :forbidden) ==
@@ -1620,17 +1561,14 @@ test "returns 403 when requested by a non-admin" do
     end
 
     test "returns 403 when requested by anonymous" do
-      conn =
-        build_conn()
-        |> get("/api/pleroma/admin/reports")
+      conn = get(build_conn(), "/api/pleroma/admin/reports")
 
       assert json_response(conn, :forbidden) == %{"error" => "Invalid credentials."}
     end
   end
 
   describe "GET /api/pleroma/admin/grouped_reports" do
-    setup %{conn: conn} do
-      admin = insert(:user, is_admin: true)
+    setup do
       [reporter, target_user] = insert_pair(:user)
 
       date1 = (DateTime.to_unix(DateTime.utc_now()) + 1000) |> DateTime.from_unix!()
@@ -1665,7 +1603,6 @@ test "returns 403 when requested by anonymous" do
         })
 
       %{
-        conn: assign(conn, :user, admin),
         first_status: Activity.get_by_ap_id_with_object(first_status.data["id"]),
         second_status: Activity.get_by_ap_id_with_object(second_status.data["id"]),
         third_status: Activity.get_by_ap_id_with_object(third_status.data["id"]),
@@ -1833,11 +1770,10 @@ test "account not empty if status was deleted", %{
   end
 
   describe "PUT /api/pleroma/admin/statuses/:id" do
-    setup %{conn: conn} do
-      admin = insert(:user, is_admin: true)
+    setup do
       activity = insert(:note_activity)
 
-      %{conn: assign(conn, :user, admin), id: activity.id, admin: admin}
+      %{id: activity.id}
     end
 
     test "toggle sensitive flag", %{conn: conn, id: id, admin: admin} do
@@ -1890,20 +1826,17 @@ test "change visibility flag", %{conn: conn, id: id, admin: admin} do
     end
 
     test "returns 400 when visibility is unknown", %{conn: conn, id: id} do
-      conn =
-        conn
-        |> put("/api/pleroma/admin/statuses/#{id}", %{"visibility" => "test"})
+      conn = put(conn, "/api/pleroma/admin/statuses/#{id}", %{"visibility" => "test"})
 
       assert json_response(conn, :bad_request) == "Unsupported visibility"
     end
   end
 
   describe "DELETE /api/pleroma/admin/statuses/:id" do
-    setup %{conn: conn} do
-      admin = insert(:user, is_admin: true)
+    setup do
       activity = insert(:note_activity)
 
-      %{conn: assign(conn, :user, admin), id: activity.id, admin: admin}
+      %{id: activity.id}
     end
 
     test "deletes status", %{conn: conn, id: id, admin: admin} do
@@ -1920,21 +1853,13 @@ test "deletes status", %{conn: conn, id: id, admin: admin} do
     end
 
     test "returns error when status is not exist", %{conn: conn} do
-      conn =
-        conn
-        |> delete("/api/pleroma/admin/statuses/test")
+      conn = delete(conn, "/api/pleroma/admin/statuses/test")
 
       assert json_response(conn, :bad_request) == "Could not delete"
     end
   end
 
   describe "GET /api/pleroma/admin/config" do
-    setup %{conn: conn} do
-      admin = insert(:user, is_admin: true)
-
-      %{conn: assign(conn, :user, admin)}
-    end
-
     test "without any settings in db", %{conn: conn} do
       conn = get(conn, "/api/pleroma/admin/config")
 
@@ -1966,9 +1891,7 @@ test "with settings in db", %{conn: conn} do
   end
 
   describe "POST /api/pleroma/admin/config" do
-    setup %{conn: conn} do
-      admin = insert(:user, is_admin: true)
-
+    setup do
       temp_file = "config/test.exported_from_db.secret.exs"
 
       on_exit(fn ->
@@ -1982,8 +1905,6 @@ test "with settings in db", %{conn: conn} do
         Application.delete_env(:pleroma, Pleroma.Captcha.NotReal)
         :ok = File.rm(temp_file)
       end)
-
-      %{conn: assign(conn, :user, admin)}
     end
 
     clear_config([:instance, :dynamic_configuration]) do
@@ -2535,9 +2456,7 @@ test "delete part of settings by atom subkeys", %{conn: conn} do
   end
 
   describe "config mix tasks run" do
-    setup %{conn: conn} do
-      admin = insert(:user, is_admin: true)
-
+    setup do
       temp_file = "config/test.exported_from_db.secret.exs"
 
       Mix.shell(Mix.Shell.Quiet)
@@ -2547,7 +2466,7 @@ test "delete part of settings by atom subkeys", %{conn: conn} do
         :ok = File.rm(temp_file)
       end)
 
-      %{conn: assign(conn, :user, admin), admin: admin}
+      :ok
     end
 
     clear_config([:instance, :dynamic_configuration]) do
@@ -2558,25 +2477,21 @@ test "delete part of settings by atom subkeys", %{conn: conn} do
       Pleroma.Config.put([:feed, :post_title], %{max_length: 100, omission: "…"})
     end
 
-    test "transfer settings to DB and to file", %{conn: conn, admin: admin} do
+    test "transfer settings to DB and to file", %{conn: conn} do
       assert Pleroma.Repo.all(Pleroma.Web.AdminAPI.Config) == []
-      conn = get(conn, "/api/pleroma/admin/config/migrate_to_db")
-      assert json_response(conn, 200) == %{}
+      ret_conn = get(conn, "/api/pleroma/admin/config/migrate_to_db")
+      assert json_response(ret_conn, 200) == %{}
       assert Pleroma.Repo.all(Pleroma.Web.AdminAPI.Config) > 0
 
-      conn =
-        build_conn()
-        |> assign(:user, admin)
-        |> get("/api/pleroma/admin/config/migrate_from_db")
+      ret_conn = get(conn, "/api/pleroma/admin/config/migrate_from_db")
 
-      assert json_response(conn, 200) == %{}
+      assert json_response(ret_conn, 200) == %{}
       assert Pleroma.Repo.all(Pleroma.Web.AdminAPI.Config) == []
     end
   end
 
   describe "GET /api/pleroma/admin/users/:nickname/statuses" do
     setup do
-      admin = insert(:user, is_admin: true)
       user = insert(:user)
 
       date1 = (DateTime.to_unix(DateTime.utc_now()) + 2000) |> DateTime.from_unix!()
@@ -2587,11 +2502,7 @@ test "transfer settings to DB and to file", %{conn: conn, admin: admin} do
       insert(:note_activity, user: user, published: date2)
       insert(:note_activity, user: user, published: date3)
 
-      conn =
-        build_conn()
-        |> assign(:user, admin)
-
-      {:ok, conn: conn, user: user}
+      %{user: user}
     end
 
     test "renders user's statuses", %{conn: conn, user: user} do
@@ -2632,11 +2543,10 @@ test "returns private statuses with godmode on", %{conn: conn, user: user} do
   end
 
   describe "GET /api/pleroma/admin/moderation_log" do
-    setup %{conn: conn} do
-      admin = insert(:user, is_admin: true)
+    setup do
       moderator = insert(:user, is_moderator: true)
 
-      %{conn: assign(conn, :user, admin), admin: admin, moderator: moderator}
+      %{moderator: moderator}
     end
 
     test "returns the log", %{conn: conn, admin: admin} do
@@ -2841,20 +2751,12 @@ test "returns log filtered by search", %{conn: conn, moderator: moderator} do
   end
 
   describe "PATCH /users/:nickname/force_password_reset" do
-    setup %{conn: conn} do
-      admin = insert(:user, is_admin: true)
+    test "sets password_reset_pending to true", %{conn: conn} do
       user = insert(:user)
-
-      %{conn: assign(conn, :user, admin), admin: admin, user: user}
-    end
-
-    test "sets password_reset_pending to true", %{admin: admin, user: user} do
       assert user.password_reset_pending == false
 
       conn =
-        build_conn()
-        |> assign(:user, admin)
-        |> patch("/api/pleroma/admin/users/force_password_reset", %{nicknames: [user.nickname]})
+        patch(conn, "/api/pleroma/admin/users/force_password_reset", %{nicknames: [user.nickname]})
 
       assert json_response(conn, 204) == ""
 
@@ -2865,17 +2767,9 @@ test "sets password_reset_pending to true", %{admin: admin, user: user} do
   end
 
   describe "relays" do
-    setup %{conn: conn} do
-      admin = insert(:user, is_admin: true)
-
-      %{conn: assign(conn, :user, admin), admin: admin}
-    end
-
-    test "POST /relay", %{admin: admin} do
+    test "POST /relay", %{conn: conn, admin: admin} do
       conn =
-        build_conn()
-        |> assign(:user, admin)
-        |> post("/api/pleroma/admin/relay", %{
+        post(conn, "/api/pleroma/admin/relay", %{
           relay_url: "http://mastodon.example.org/users/admin"
         })
 
@@ -2887,7 +2781,7 @@ test "POST /relay", %{admin: admin} do
                "@#{admin.nickname} followed relay: http://mastodon.example.org/users/admin"
     end
 
-    test "GET /relay", %{admin: admin} do
+    test "GET /relay", %{conn: conn} do
       relay_user = Pleroma.Web.ActivityPub.Relay.get_actor()
 
       ["http://mastodon.example.org/users/admin", "https://mstdn.io/users/mayuutann"]
@@ -2896,25 +2790,18 @@ test "GET /relay", %{admin: admin} do
         User.follow(relay_user, user)
       end)
 
-      conn =
-        build_conn()
-        |> assign(:user, admin)
-        |> get("/api/pleroma/admin/relay")
+      conn = get(conn, "/api/pleroma/admin/relay")
 
       assert json_response(conn, 200)["relays"] -- ["mastodon.example.org", "mstdn.io"] == []
     end
 
-    test "DELETE /relay", %{admin: admin} do
-      build_conn()
-      |> assign(:user, admin)
-      |> post("/api/pleroma/admin/relay", %{
+    test "DELETE /relay", %{conn: conn, admin: admin} do
+      post(conn, "/api/pleroma/admin/relay", %{
         relay_url: "http://mastodon.example.org/users/admin"
       })
 
       conn =
-        build_conn()
-        |> assign(:user, admin)
-        |> delete("/api/pleroma/admin/relay", %{
+        delete(conn, "/api/pleroma/admin/relay", %{
           relay_url: "http://mastodon.example.org/users/admin"
         })
 
@@ -2931,63 +2818,48 @@ test "DELETE /relay", %{admin: admin} do
   end
 
   describe "instances" do
-    test "GET /instances/:instance/statuses" do
-      admin = insert(:user, is_admin: true)
+    test "GET /instances/:instance/statuses", %{conn: conn} do
       user = insert(:user, local: false, nickname: "archaeme@archae.me")
       user2 = insert(:user, local: false, nickname: "test@test.com")
       insert_pair(:note_activity, user: user)
       insert(:note_activity, user: user2)
 
-      conn =
-        build_conn()
-        |> assign(:user, admin)
-        |> get("/api/pleroma/admin/instances/archae.me/statuses")
+      ret_conn = get(conn, "/api/pleroma/admin/instances/archae.me/statuses")
 
-      response = json_response(conn, 200)
+      response = json_response(ret_conn, 200)
 
       assert length(response) == 2
 
-      conn =
-        build_conn()
-        |> assign(:user, admin)
-        |> get("/api/pleroma/admin/instances/test.com/statuses")
+      ret_conn = get(conn, "/api/pleroma/admin/instances/test.com/statuses")
 
-      response = json_response(conn, 200)
+      response = json_response(ret_conn, 200)
 
       assert length(response) == 1
 
-      conn =
-        build_conn()
-        |> assign(:user, admin)
-        |> get("/api/pleroma/admin/instances/nonexistent.com/statuses")
+      ret_conn = get(conn, "/api/pleroma/admin/instances/nonexistent.com/statuses")
 
-      response = json_response(conn, 200)
+      response = json_response(ret_conn, 200)
 
       assert length(response) == 0
     end
   end
 
   describe "PATCH /confirm_email" do
-    setup %{conn: conn} do
-      admin = insert(:user, is_admin: true)
-
-      %{conn: assign(conn, :user, admin), admin: admin}
-    end
-
-    test "it confirms emails of two users", %{admin: admin} do
+    test "it confirms emails of two users", %{conn: conn, admin: admin} do
       [first_user, second_user] = insert_pair(:user, confirmation_pending: true)
 
       assert first_user.confirmation_pending == true
       assert second_user.confirmation_pending == true
 
-      build_conn()
-      |> assign(:user, admin)
-      |> patch("/api/pleroma/admin/users/confirm_email", %{
-        nicknames: [
-          first_user.nickname,
-          second_user.nickname
-        ]
-      })
+      ret_conn =
+        patch(conn, "/api/pleroma/admin/users/confirm_email", %{
+          nicknames: [
+            first_user.nickname,
+            second_user.nickname
+          ]
+        })
+
+      assert ret_conn.status == 200
 
       assert first_user.confirmation_pending == true
       assert second_user.confirmation_pending == true
@@ -3002,23 +2874,18 @@ test "it confirms emails of two users", %{admin: admin} do
   end
 
   describe "PATCH /resend_confirmation_email" do
-    setup %{conn: conn} do
-      admin = insert(:user, is_admin: true)
-
-      %{conn: assign(conn, :user, admin), admin: admin}
-    end
-
-    test "it resend emails for two users", %{admin: admin} do
+    test "it resend emails for two users", %{conn: conn, admin: admin} do
       [first_user, second_user] = insert_pair(:user, confirmation_pending: true)
 
-      build_conn()
-      |> assign(:user, admin)
-      |> patch("/api/pleroma/admin/users/resend_confirmation_email", %{
-        nicknames: [
-          first_user.nickname,
-          second_user.nickname
-        ]
-      })
+      ret_conn =
+        patch(conn, "/api/pleroma/admin/users/resend_confirmation_email", %{
+          nicknames: [
+            first_user.nickname,
+            second_user.nickname
+          ]
+        })
+
+      assert ret_conn.status == 200
 
       log_entry = Repo.one(ModerationLog)
 
@@ -3030,8 +2897,7 @@ test "it resend emails for two users", %{admin: admin} do
   end
 
   describe "POST /reports/:id/notes" do
-    setup do
-      admin = insert(:user, is_admin: true)
+    setup %{conn: conn, admin: admin} do
       [reporter, target_user] = insert_pair(:user)
       activity = insert(:note_activity, user: target_user)
 
@@ -3042,22 +2908,17 @@ test "it resend emails for two users", %{admin: admin} do
           "status_ids" => [activity.id]
         })
 
-      build_conn()
-      |> assign(:user, admin)
-      |> post("/api/pleroma/admin/reports/#{report_id}/notes", %{
+      post(conn, "/api/pleroma/admin/reports/#{report_id}/notes", %{
         content: "this is disgusting!"
       })
 
-      build_conn()
-      |> assign(:user, admin)
-      |> post("/api/pleroma/admin/reports/#{report_id}/notes", %{
+      post(conn, "/api/pleroma/admin/reports/#{report_id}/notes", %{
         content: "this is disgusting2!"
       })
 
       %{
         admin_id: admin.id,
-        report_id: report_id,
-        admin: admin
+        report_id: report_id
       }
     end
 
@@ -3071,11 +2932,8 @@ test "it creates report note", %{admin_id: admin_id, report_id: report_id} do
              } = note
     end
 
-    test "it returns reports with notes", %{admin: admin} do
-      conn =
-        build_conn()
-        |> assign(:user, admin)
-        |> get("/api/pleroma/admin/reports")
+    test "it returns reports with notes", %{conn: conn, admin: admin} do
+      conn = get(conn, "/api/pleroma/admin/reports")
 
       response = json_response(conn, 200)
       notes = hd(response["reports"])["notes"]
@@ -3087,14 +2945,12 @@ test "it returns reports with notes", %{admin: admin} do
       assert response["total"] == 1
     end
 
-    test "it deletes the note", %{admin: admin, report_id: report_id} do
+    test "it deletes the note", %{conn: conn, report_id: report_id} do
       assert ReportNote |> Repo.all() |> length() == 2
 
       [note, _] = Repo.all(ReportNote)
 
-      build_conn()
-      |> assign(:user, admin)
-      |> delete("/api/pleroma/admin/reports/#{report_id}/notes/#{note.id}")
+      delete(conn, "/api/pleroma/admin/reports/#{report_id}/notes/#{note.id}")
 
       assert ReportNote |> Repo.all() |> length() == 1
     end
diff --git a/test/web/mastodon_api/controllers/status_controller_test.exs b/test/web/mastodon_api/controllers/status_controller_test.exs
index 5fbe947ba..307221c5d 100644
--- a/test/web/mastodon_api/controllers/status_controller_test.exs
+++ b/test/web/mastodon_api/controllers/status_controller_test.exs
@@ -23,24 +23,14 @@ defmodule Pleroma.Web.MastodonAPI.StatusControllerTest do
   clear_config([:instance, :allow_relay])
 
   describe "posting statuses" do
-    setup do
-      user = insert(:user)
-
-      conn =
-        build_conn()
-        |> assign(:user, user)
-
-      [conn: conn]
-    end
+    setup do: oauth_access(["write:statuses"])
 
     test "posting a status does not increment reblog_count when relaying", %{conn: conn} do
       Pleroma.Config.put([:instance, :federating], true)
       Pleroma.Config.get([:instance, :allow_relay], true)
-      user = insert(:user)
 
       response =
         conn
-        |> assign(:user, user)
         |> post("api/v1/statuses", %{
           "content_type" => "text/plain",
           "source" => "Pleroma FE",
@@ -54,7 +44,6 @@ test "posting a status does not increment reblog_count when relaying", %{conn: c
 
       response =
         conn
-        |> assign(:user, user)
         |> get("api/v1/statuses/#{response["id"]}", %{})
         |> json_response(200)
 
@@ -132,9 +121,7 @@ test "posting a status", %{conn: conn} do
                NaiveDateTime.to_iso8601(expiration.scheduled_at)
     end
 
-    test "posting an undefined status with an attachment", %{conn: conn} do
-      user = insert(:user)
-
+    test "posting an undefined status with an attachment", %{user: user, conn: conn} do
       file = %Plug.Upload{
         content_type: "image/jpg",
         path: Path.absname("test/fixtures/image.jpg"),
@@ -144,17 +131,14 @@ test "posting an undefined status with an attachment", %{conn: conn} do
       {:ok, upload} = ActivityPub.upload(file, actor: user.ap_id)
 
       conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses", %{
+        post(conn, "/api/v1/statuses", %{
           "media_ids" => [to_string(upload.id)]
         })
 
       assert json_response(conn, 200)
     end
 
-    test "replying to a status", %{conn: conn} do
-      user = insert(:user)
+    test "replying to a status", %{user: user, conn: conn} do
       {:ok, replied_to} = CommonAPI.post(user, %{"status" => "cofe"})
 
       conn =
@@ -169,8 +153,10 @@ test "replying to a status", %{conn: conn} do
       assert Activity.get_in_reply_to_activity(activity).id == replied_to.id
     end
 
-    test "replying to a direct message with visibility other than direct", %{conn: conn} do
-      user = insert(:user)
+    test "replying to a direct message with visibility other than direct", %{
+      user: user,
+      conn: conn
+    } do
       {:ok, replied_to} = CommonAPI.post(user, %{"status" => "suya..", "visibility" => "direct"})
 
       Enum.each(["public", "private", "unlisted"], fn visibility ->
@@ -187,18 +173,14 @@ test "replying to a direct message with visibility other than direct", %{conn: c
     end
 
     test "posting a status with an invalid in_reply_to_id", %{conn: conn} do
-      conn =
-        conn
-        |> post("/api/v1/statuses", %{"status" => "xD", "in_reply_to_id" => ""})
+      conn = post(conn, "/api/v1/statuses", %{"status" => "xD", "in_reply_to_id" => ""})
 
       assert %{"content" => "xD", "id" => id} = json_response(conn, 200)
       assert Activity.get_by_id(id)
     end
 
     test "posting a sensitive status", %{conn: conn} do
-      conn =
-        conn
-        |> post("/api/v1/statuses", %{"status" => "cofe", "sensitive" => true})
+      conn = post(conn, "/api/v1/statuses", %{"status" => "cofe", "sensitive" => true})
 
       assert %{"content" => "cofe", "id" => id, "sensitive" => true} = json_response(conn, 200)
       assert Activity.get_by_id(id)
@@ -206,8 +188,7 @@ test "posting a sensitive status", %{conn: conn} do
 
     test "posting a fake status", %{conn: conn} do
       real_conn =
-        conn
-        |> post("/api/v1/statuses", %{
+        post(conn, "/api/v1/statuses", %{
           "status" =>
             "\"Tenshi Eating a Corndog\" is a much discussed concept on /jp/. The significance of it is disputed, so I will focus on one core concept: the symbolism behind it"
         })
@@ -226,8 +207,7 @@ test "posting a fake status", %{conn: conn} do
         |> Kernel.put_in(["pleroma", "conversation_id"], nil)
 
       fake_conn =
-        conn
-        |> post("/api/v1/statuses", %{
+        post(conn, "/api/v1/statuses", %{
           "status" =>
             "\"Tenshi Eating a Corndog\" is a much discussed concept on /jp/. The significance of it is disputed, so I will focus on one core concept: the symbolism behind it",
           "preview" => true
@@ -254,8 +234,7 @@ test "posting a status with OGP link preview", %{conn: conn} do
       Config.put([:rich_media, :enabled], true)
 
       conn =
-        conn
-        |> post("/api/v1/statuses", %{
+        post(conn, "/api/v1/statuses", %{
           "status" => "https://example.com/ogp"
         })
 
@@ -267,9 +246,7 @@ test "posting a direct status", %{conn: conn} do
       user2 = insert(:user)
       content = "direct cofe @#{user2.nickname}"
 
-      conn =
-        conn
-        |> post("api/v1/statuses", %{"status" => content, "visibility" => "direct"})
+      conn = post(conn, "api/v1/statuses", %{"status" => content, "visibility" => "direct"})
 
       assert %{"id" => id} = response = json_response(conn, 200)
       assert response["visibility"] == "direct"
@@ -282,14 +259,13 @@ test "posting a direct status", %{conn: conn} do
   end
 
   describe "posting scheduled statuses" do
+    setup do: oauth_access(["write:statuses"])
+
     test "creates a scheduled activity", %{conn: conn} do
-      user = insert(:user)
       scheduled_at = NaiveDateTime.add(NaiveDateTime.utc_now(), :timer.minutes(120), :millisecond)
 
       conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses", %{
+        post(conn, "/api/v1/statuses", %{
           "status" => "scheduled",
           "scheduled_at" => scheduled_at
         })
@@ -299,8 +275,7 @@ test "creates a scheduled activity", %{conn: conn} do
       assert [] == Repo.all(Activity)
     end
 
-    test "creates a scheduled activity with a media attachment", %{conn: conn} do
-      user = insert(:user)
+    test "creates a scheduled activity with a media attachment", %{user: user, conn: conn} do
       scheduled_at = NaiveDateTime.add(NaiveDateTime.utc_now(), :timer.minutes(120), :millisecond)
 
       file = %Plug.Upload{
@@ -312,9 +287,7 @@ test "creates a scheduled activity with a media attachment", %{conn: conn} do
       {:ok, upload} = ActivityPub.upload(file, actor: user.ap_id)
 
       conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses", %{
+        post(conn, "/api/v1/statuses", %{
           "media_ids" => [to_string(upload.id)],
           "status" => "scheduled",
           "scheduled_at" => scheduled_at
@@ -326,15 +299,11 @@ test "creates a scheduled activity with a media attachment", %{conn: conn} do
 
     test "skips the scheduling and creates the activity if scheduled_at is earlier than 5 minutes from now",
          %{conn: conn} do
-      user = insert(:user)
-
       scheduled_at =
         NaiveDateTime.add(NaiveDateTime.utc_now(), :timer.minutes(5) - 1, :millisecond)
 
       conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses", %{
+        post(conn, "/api/v1/statuses", %{
           "status" => "not scheduled",
           "scheduled_at" => scheduled_at
         })
@@ -343,9 +312,7 @@ test "skips the scheduling and creates the activity if scheduled_at is earlier t
       assert [] == Repo.all(ScheduledActivity)
     end
 
-    test "returns error when daily user limit is exceeded", %{conn: conn} do
-      user = insert(:user)
-
+    test "returns error when daily user limit is exceeded", %{user: user, conn: conn} do
       today =
         NaiveDateTime.utc_now()
         |> NaiveDateTime.add(:timer.minutes(6), :millisecond)
@@ -355,17 +322,12 @@ test "returns error when daily user limit is exceeded", %{conn: conn} do
       {:ok, _} = ScheduledActivity.create(user, attrs)
       {:ok, _} = ScheduledActivity.create(user, attrs)
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses", %{"status" => "scheduled", "scheduled_at" => today})
+      conn = post(conn, "/api/v1/statuses", %{"status" => "scheduled", "scheduled_at" => today})
 
       assert %{"error" => "daily limit exceeded"} == json_response(conn, 422)
     end
 
-    test "returns error when total user limit is exceeded", %{conn: conn} do
-      user = insert(:user)
-
+    test "returns error when total user limit is exceeded", %{user: user, conn: conn} do
       today =
         NaiveDateTime.utc_now()
         |> NaiveDateTime.add(:timer.minutes(6), :millisecond)
@@ -382,23 +344,20 @@ test "returns error when total user limit is exceeded", %{conn: conn} do
       {:ok, _} = ScheduledActivity.create(user, %{params: %{}, scheduled_at: tomorrow})
 
       conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses", %{"status" => "scheduled", "scheduled_at" => tomorrow})
+        post(conn, "/api/v1/statuses", %{"status" => "scheduled", "scheduled_at" => tomorrow})
 
       assert %{"error" => "total limit exceeded"} == json_response(conn, 422)
     end
   end
 
   describe "posting polls" do
+    setup do: oauth_access(["write:statuses"])
+
     test "posting a poll", %{conn: conn} do
-      user = insert(:user)
       time = NaiveDateTime.utc_now()
 
       conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses", %{
+        post(conn, "/api/v1/statuses", %{
           "status" => "Who is the #bestgrill?",
           "poll" => %{"options" => ["Rei", "Asuka", "Misato"], "expires_in" => 420}
         })
@@ -414,13 +373,10 @@ test "posting a poll", %{conn: conn} do
     end
 
     test "option limit is enforced", %{conn: conn} do
-      user = insert(:user)
       limit = Config.get([:instance, :poll_limits, :max_options])
 
       conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses", %{
+        post(conn, "/api/v1/statuses", %{
           "status" => "desu~",
           "poll" => %{"options" => Enum.map(0..limit, fn _ -> "desu" end), "expires_in" => 1}
         })
@@ -430,13 +386,10 @@ test "option limit is enforced", %{conn: conn} do
     end
 
     test "option character limit is enforced", %{conn: conn} do
-      user = insert(:user)
       limit = Config.get([:instance, :poll_limits, :max_option_chars])
 
       conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses", %{
+        post(conn, "/api/v1/statuses", %{
           "status" => "...",
           "poll" => %{
             "options" => [Enum.reduce(0..limit, "", fn _, acc -> acc <> "." end)],
@@ -449,13 +402,10 @@ test "option character limit is enforced", %{conn: conn} do
     end
 
     test "minimal date limit is enforced", %{conn: conn} do
-      user = insert(:user)
       limit = Config.get([:instance, :poll_limits, :min_expiration])
 
       conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses", %{
+        post(conn, "/api/v1/statuses", %{
           "status" => "imagine arbitrary limits",
           "poll" => %{
             "options" => ["this post was made by pleroma gang"],
@@ -468,13 +418,10 @@ test "minimal date limit is enforced", %{conn: conn} do
     end
 
     test "maximum date limit is enforced", %{conn: conn} do
-      user = insert(:user)
       limit = Config.get([:instance, :poll_limits, :max_expiration])
 
       conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses", %{
+        post(conn, "/api/v1/statuses", %{
           "status" => "imagine arbitrary limits",
           "poll" => %{
             "options" => ["this post was made by pleroma gang"],
@@ -487,19 +434,18 @@ test "maximum date limit is enforced", %{conn: conn} do
     end
   end
 
-  test "get a status", %{conn: conn} do
+  test "get a status" do
+    %{conn: conn} = oauth_access(["read:statuses"])
     activity = insert(:note_activity)
 
-    conn =
-      conn
-      |> get("/api/v1/statuses/#{activity.id}")
+    conn = get(conn, "/api/v1/statuses/#{activity.id}")
 
     assert %{"id" => id} = json_response(conn, 200)
     assert id == to_string(activity.id)
   end
 
-  test "get a direct status", %{conn: conn} do
-    user = insert(:user)
+  test "get a direct status" do
+    %{user: user, conn: conn} = oauth_access(["read:statuses"])
     other_user = insert(:user)
 
     {:ok, activity} =
@@ -516,7 +462,8 @@ test "get a direct status", %{conn: conn} do
     assert res["pleroma"]["direct_conversation_id"] == participation.id
   end
 
-  test "get statuses by IDs", %{conn: conn} do
+  test "get statuses by IDs" do
+    %{conn: conn} = oauth_access(["read:statuses"])
     %{id: id1} = insert(:note_activity)
     %{id: id2} = insert(:note_activity)
 
@@ -527,9 +474,9 @@ test "get statuses by IDs", %{conn: conn} do
   end
 
   describe "deleting a status" do
-    test "when you created it", %{conn: conn} do
-      activity = insert(:note_activity)
-      author = User.get_cached_by_ap_id(activity.data["actor"])
+    test "when you created it" do
+      %{user: author, conn: conn} = oauth_access(["write:statuses"])
+      activity = insert(:note_activity, user: author)
 
       conn =
         conn
@@ -541,14 +488,11 @@ test "when you created it", %{conn: conn} do
       refute Activity.get_by_id(activity.id)
     end
 
-    test "when you didn't create it", %{conn: conn} do
+    test "when you didn't create it" do
+      %{conn: conn} = oauth_access(["write:statuses"])
       activity = insert(:note_activity)
-      user = insert(:user)
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> delete("/api/v1/statuses/#{activity.id}")
+      conn = delete(conn, "/api/v1/statuses/#{activity.id}")
 
       assert %{"error" => _} = json_response(conn, 403)
 
@@ -564,6 +508,7 @@ test "when you're an admin or moderator", %{conn: conn} do
       res_conn =
         conn
         |> assign(:user, admin)
+        |> assign(:token, insert(:oauth_token, user: admin, scopes: ["write:statuses"]))
         |> delete("/api/v1/statuses/#{activity1.id}")
 
       assert %{} = json_response(res_conn, 200)
@@ -571,6 +516,7 @@ test "when you're an admin or moderator", %{conn: conn} do
       res_conn =
         conn
         |> assign(:user, moderator)
+        |> assign(:token, insert(:oauth_token, user: moderator, scopes: ["write:statuses"]))
         |> delete("/api/v1/statuses/#{activity2.id}")
 
       assert %{} = json_response(res_conn, 200)
@@ -581,14 +527,12 @@ test "when you're an admin or moderator", %{conn: conn} do
   end
 
   describe "reblogging" do
+    setup do: oauth_access(["write:statuses"])
+
     test "reblogs and returns the reblogged status", %{conn: conn} do
       activity = insert(:note_activity)
-      user = insert(:user)
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses/#{activity.id}/reblog")
+      conn = post(conn, "/api/v1/statuses/#{activity.id}/reblog")
 
       assert %{
                "reblog" => %{"id" => id, "reblogged" => true, "reblogs_count" => 1},
@@ -600,12 +544,8 @@ test "reblogs and returns the reblogged status", %{conn: conn} do
 
     test "reblogs privately and returns the reblogged status", %{conn: conn} do
       activity = insert(:note_activity)
-      user = insert(:user)
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses/#{activity.id}/reblog", %{"visibility" => "private"})
+      conn = post(conn, "/api/v1/statuses/#{activity.id}/reblog", %{"visibility" => "private"})
 
       assert %{
                "reblog" => %{"id" => id, "reblogged" => true, "reblogs_count" => 1},
@@ -616,7 +556,7 @@ test "reblogs privately and returns the reblogged status", %{conn: conn} do
       assert to_string(activity.id) == id
     end
 
-    test "reblogged status for another user", %{conn: conn} do
+    test "reblogged status for another user" do
       activity = insert(:note_activity)
       user1 = insert(:user)
       user2 = insert(:user)
@@ -627,8 +567,9 @@ test "reblogged status for another user", %{conn: conn} do
       {:ok, _, _object} = CommonAPI.repeat(activity.id, user2)
 
       conn_res =
-        conn
+        build_conn()
         |> assign(:user, user3)
+        |> assign(:token, insert(:oauth_token, user: user3, scopes: ["read:statuses"]))
         |> get("/api/v1/statuses/#{reblog_activity1.id}")
 
       assert %{
@@ -639,8 +580,9 @@ test "reblogged status for another user", %{conn: conn} do
              } = json_response(conn_res, 200)
 
       conn_res =
-        conn
+        build_conn()
         |> assign(:user, user2)
+        |> assign(:token, insert(:oauth_token, user: user2, scopes: ["read:statuses"]))
         |> get("/api/v1/statuses/#{reblog_activity1.id}")
 
       assert %{
@@ -654,28 +596,21 @@ test "reblogged status for another user", %{conn: conn} do
     end
 
     test "returns 400 error when activity is not exist", %{conn: conn} do
-      user = insert(:user)
-
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses/foo/reblog")
+      conn = post(conn, "/api/v1/statuses/foo/reblog")
 
       assert json_response(conn, 400) == %{"error" => "Could not repeat"}
     end
   end
 
   describe "unreblogging" do
-    test "unreblogs and returns the unreblogged status", %{conn: conn} do
+    setup do: oauth_access(["write:statuses"])
+
+    test "unreblogs and returns the unreblogged status", %{user: user, conn: conn} do
       activity = insert(:note_activity)
-      user = insert(:user)
 
       {:ok, _, _} = CommonAPI.repeat(activity.id, user)
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses/#{activity.id}/unreblog")
+      conn = post(conn, "/api/v1/statuses/#{activity.id}/unreblog")
 
       assert %{"id" => id, "reblogged" => false, "reblogs_count" => 0} = json_response(conn, 200)
 
@@ -683,26 +618,19 @@ test "unreblogs and returns the unreblogged status", %{conn: conn} do
     end
 
     test "returns 400 error when activity is not exist", %{conn: conn} do
-      user = insert(:user)
-
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses/foo/unreblog")
+      conn = post(conn, "/api/v1/statuses/foo/unreblog")
 
       assert json_response(conn, 400) == %{"error" => "Could not unrepeat"}
     end
   end
 
   describe "favoriting" do
+    setup do: oauth_access(["write:favourites"])
+
     test "favs a status and returns it", %{conn: conn} do
       activity = insert(:note_activity)
-      user = insert(:user)
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses/#{activity.id}/favourite")
+      conn = post(conn, "/api/v1/statuses/#{activity.id}/favourite")
 
       assert %{"id" => id, "favourites_count" => 1, "favourited" => true} =
                json_response(conn, 200)
@@ -711,28 +639,21 @@ test "favs a status and returns it", %{conn: conn} do
     end
 
     test "returns 400 error for a wrong id", %{conn: conn} do
-      user = insert(:user)
-
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses/1/favourite")
+      conn = post(conn, "/api/v1/statuses/1/favourite")
 
       assert json_response(conn, 400) == %{"error" => "Could not favorite"}
     end
   end
 
   describe "unfavoriting" do
-    test "unfavorites a status and returns it", %{conn: conn} do
+    setup do: oauth_access(["write:favourites"])
+
+    test "unfavorites a status and returns it", %{user: user, conn: conn} do
       activity = insert(:note_activity)
-      user = insert(:user)
 
       {:ok, _, _} = CommonAPI.favorite(activity.id, user)
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses/#{activity.id}/unfavourite")
+      conn = post(conn, "/api/v1/statuses/#{activity.id}/unfavourite")
 
       assert %{"id" => id, "favourites_count" => 0, "favourited" => false} =
                json_response(conn, 200)
@@ -741,23 +662,19 @@ test "unfavorites a status and returns it", %{conn: conn} do
     end
 
     test "returns 400 error for a wrong id", %{conn: conn} do
-      user = insert(:user)
-
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses/1/unfavourite")
+      conn = post(conn, "/api/v1/statuses/1/unfavourite")
 
       assert json_response(conn, 400) == %{"error" => "Could not unfavorite"}
     end
   end
 
   describe "pinned statuses" do
-    setup do
-      user = insert(:user)
+    setup do: oauth_access(["write:accounts"])
+
+    setup %{user: user} do
       {:ok, activity} = CommonAPI.post(user, %{"status" => "HI!!!"})
 
-      [user: user, activity: activity]
+      %{activity: activity}
     end
 
     clear_config([:instance, :max_pinned_statuses]) do
@@ -769,13 +686,11 @@ test "pin status", %{conn: conn, user: user, activity: activity} do
 
       assert %{"id" => ^id_str, "pinned" => true} =
                conn
-               |> assign(:user, user)
                |> post("/api/v1/statuses/#{activity.id}/pin")
                |> json_response(200)
 
       assert [%{"id" => ^id_str, "pinned" => true}] =
                conn
-               |> assign(:user, user)
                |> get("/api/v1/accounts/#{user.id}/statuses?pinned=true")
                |> json_response(200)
     end
@@ -783,19 +698,16 @@ test "pin status", %{conn: conn, user: user, activity: activity} do
     test "/pin: returns 400 error when activity is not public", %{conn: conn, user: user} do
       {:ok, dm} = CommonAPI.post(user, %{"status" => "test", "visibility" => "direct"})
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses/#{dm.id}/pin")
+      conn = post(conn, "/api/v1/statuses/#{dm.id}/pin")
 
       assert json_response(conn, 400) == %{"error" => "Could not pin"}
     end
 
     test "unpin status", %{conn: conn, user: user, activity: activity} do
       {:ok, _} = CommonAPI.pin(activity.id, user)
+      user = refresh_record(user)
 
       id_str = to_string(activity.id)
-      user = refresh_record(user)
 
       assert %{"id" => ^id_str, "pinned" => false} =
                conn
@@ -805,16 +717,12 @@ test "unpin status", %{conn: conn, user: user, activity: activity} do
 
       assert [] =
                conn
-               |> assign(:user, user)
                |> get("/api/v1/accounts/#{user.id}/statuses?pinned=true")
                |> json_response(200)
     end
 
-    test "/unpin: returns 400 error when activity is not exist", %{conn: conn, user: user} do
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses/1/unpin")
+    test "/unpin: returns 400 error when activity is not exist", %{conn: conn} do
+      conn = post(conn, "/api/v1/statuses/1/unpin")
 
       assert json_response(conn, 400) == %{"error" => "Could not unpin"}
     end
@@ -826,7 +734,6 @@ test "max pinned statuses", %{conn: conn, user: user, activity: activity_one} do
 
       assert %{"id" => ^id_str_one, "pinned" => true} =
                conn
-               |> assign(:user, user)
                |> post("/api/v1/statuses/#{id_str_one}/pin")
                |> json_response(200)
 
@@ -844,8 +751,7 @@ test "max pinned statuses", %{conn: conn, user: user, activity: activity_one} do
     setup do
       Config.put([:rich_media, :enabled], true)
 
-      user = insert(:user)
-      %{user: user}
+      oauth_access(["read:statuses"])
     end
 
     test "returns rich-media card", %{conn: conn, user: user} do
@@ -887,7 +793,6 @@ test "returns rich-media card", %{conn: conn, user: user} do
 
       response_two =
         conn
-        |> assign(:user, user)
         |> get("/api/v1/statuses/#{activity.id}/card")
         |> json_response(200)
 
@@ -925,72 +830,55 @@ test "replaces missing description with an empty string", %{conn: conn, user: us
   end
 
   test "bookmarks" do
-    user = insert(:user)
-    for_user = insert(:user)
+    %{conn: conn} = oauth_access(["write:bookmarks", "read:bookmarks"])
+    author = insert(:user)
 
     {:ok, activity1} =
-      CommonAPI.post(user, %{
+      CommonAPI.post(author, %{
         "status" => "heweoo?"
       })
 
     {:ok, activity2} =
-      CommonAPI.post(user, %{
+      CommonAPI.post(author, %{
         "status" => "heweoo!"
       })
 
-    response1 =
-      build_conn()
-      |> assign(:user, for_user)
-      |> post("/api/v1/statuses/#{activity1.id}/bookmark")
+    response1 = post(conn, "/api/v1/statuses/#{activity1.id}/bookmark")
 
     assert json_response(response1, 200)["bookmarked"] == true
 
-    response2 =
-      build_conn()
-      |> assign(:user, for_user)
-      |> post("/api/v1/statuses/#{activity2.id}/bookmark")
+    response2 = post(conn, "/api/v1/statuses/#{activity2.id}/bookmark")
 
     assert json_response(response2, 200)["bookmarked"] == true
 
-    bookmarks =
-      build_conn()
-      |> assign(:user, for_user)
-      |> get("/api/v1/bookmarks")
+    bookmarks = get(conn, "/api/v1/bookmarks")
 
     assert [json_response(response2, 200), json_response(response1, 200)] ==
              json_response(bookmarks, 200)
 
-    response1 =
-      build_conn()
-      |> assign(:user, for_user)
-      |> post("/api/v1/statuses/#{activity1.id}/unbookmark")
+    response1 = post(conn, "/api/v1/statuses/#{activity1.id}/unbookmark")
 
     assert json_response(response1, 200)["bookmarked"] == false
 
-    bookmarks =
-      build_conn()
-      |> assign(:user, for_user)
-      |> get("/api/v1/bookmarks")
+    bookmarks = get(conn, "/api/v1/bookmarks")
 
     assert [json_response(response2, 200)] == json_response(bookmarks, 200)
   end
 
   describe "conversation muting" do
+    setup do: oauth_access(["write:mutes"])
+
     setup do
       post_user = insert(:user)
-      user = insert(:user)
-
       {:ok, activity} = CommonAPI.post(post_user, %{"status" => "HIE"})
-
-      [user: user, activity: activity]
+      %{activity: activity}
     end
 
-    test "mute conversation", %{conn: conn, user: user, activity: activity} do
+    test "mute conversation", %{conn: conn, activity: activity} do
       id_str = to_string(activity.id)
 
       assert %{"id" => ^id_str, "muted" => true} =
                conn
-               |> assign(:user, user)
                |> post("/api/v1/statuses/#{activity.id}/mute")
                |> json_response(200)
     end
@@ -998,10 +886,7 @@ test "mute conversation", %{conn: conn, user: user, activity: activity} do
     test "cannot mute already muted conversation", %{conn: conn, user: user, activity: activity} do
       {:ok, _} = CommonAPI.add_mute(user, activity)
 
-      conn =
-        conn
-        |> assign(:user, user)
-        |> post("/api/v1/statuses/#{activity.id}/mute")
+      conn = post(conn, "/api/v1/statuses/#{activity.id}/mute")
 
       assert json_response(conn, 400) == %{"error" => "conversation is already muted"}
     end
@@ -1010,11 +895,10 @@ test "unmute conversation", %{conn: conn, user: user, activity: activity} do
       {:ok, _} = CommonAPI.add_mute(user, activity)
 
       id_str = to_string(activity.id)
-      user = refresh_record(user)
 
       assert %{"id" => ^id_str, "muted" => false} =
                conn
-               |> assign(:user, user)
+               # |> assign(:user, user)
                |> post("/api/v1/statuses/#{activity.id}/unmute")
                |> json_response(200)
     end
@@ -1031,6 +915,7 @@ test "Repeated posts that are replies incorrectly have in_reply_to_id null", %{c
     conn1 =
       conn
       |> assign(:user, user2)
+      |> assign(:token, insert(:oauth_token, user: user2, scopes: ["write:statuses"]))
       |> post("/api/v1/statuses", %{"status" => "xD", "in_reply_to_id" => replied_to.id})
 
     assert %{"content" => "xD", "id" => id} = json_response(conn1, 200)
@@ -1044,6 +929,7 @@ test "Repeated posts that are replies incorrectly have in_reply_to_id null", %{c
     conn2 =
       conn
       |> assign(:user, user3)
+      |> assign(:token, insert(:oauth_token, user: user3, scopes: ["write:statuses"]))
       |> post("/api/v1/statuses/#{activity.id}/reblog")
 
     assert %{"reblog" => %{"id" => id, "reblogged" => true, "reblogs_count" => 1}} =
@@ -1055,6 +941,7 @@ test "Repeated posts that are replies incorrectly have in_reply_to_id null", %{c
     conn3 =
       conn
       |> assign(:user, user3)
+      |> assign(:token, insert(:oauth_token, user: user3, scopes: ["read:statuses"]))
       |> get("api/v1/timelines/home")
 
     [reblogged_activity] = json_response(conn3, 200)
@@ -1066,15 +953,12 @@ test "Repeated posts that are replies incorrectly have in_reply_to_id null", %{c
   end
 
   describe "GET /api/v1/statuses/:id/favourited_by" do
-    setup do
-      user = insert(:user)
+    setup do: oauth_access(["read:accounts"])
+
+    setup %{user: user} do
       {:ok, activity} = CommonAPI.post(user, %{"status" => "test"})
 
-      conn =
-        build_conn()
-        |> assign(:user, user)
-
-      [conn: conn, activity: activity, user: user]
+      %{activity: activity}
     end
 
     test "returns users who have favorited the status", %{conn: conn, activity: activity} do
@@ -1114,20 +998,18 @@ test "does not return users who have favorited the status but are blocked", %{
 
       response =
         conn
-        |> assign(:user, user)
         |> get("/api/v1/statuses/#{activity.id}/favourited_by")
         |> json_response(:ok)
 
       assert Enum.empty?(response)
     end
 
-    test "does not fail on an unauthenticated request", %{conn: conn, activity: activity} do
+    test "does not fail on an unauthenticated request", %{activity: activity} do
       other_user = insert(:user)
       {:ok, _, _} = CommonAPI.favorite(activity.id, other_user)
 
       response =
-        conn
-        |> assign(:user, nil)
+        build_conn()
         |> get("/api/v1/statuses/#{activity.id}/favourited_by")
         |> json_response(:ok)
 
@@ -1135,7 +1017,7 @@ test "does not fail on an unauthenticated request", %{conn: conn, activity: acti
       assert id == other_user.id
     end
 
-    test "requires authentification for private posts", %{conn: conn, user: user} do
+    test "requires authentication for private posts", %{user: user} do
       other_user = insert(:user)
 
       {:ok, activity} =
@@ -1146,15 +1028,25 @@ test "requires authentification for private posts", %{conn: conn, user: user} do
 
       {:ok, _, _} = CommonAPI.favorite(activity.id, other_user)
 
+      favourited_by_url = "/api/v1/statuses/#{activity.id}/favourited_by"
+
+      build_conn()
+      |> get(favourited_by_url)
+      |> json_response(404)
+
+      conn =
+        build_conn()
+        |> assign(:user, other_user)
+        |> assign(:token, insert(:oauth_token, user: other_user, scopes: ["read:accounts"]))
+
       conn
-      |> assign(:user, nil)
-      |> get("/api/v1/statuses/#{activity.id}/favourited_by")
+      |> assign(:token, nil)
+      |> get(favourited_by_url)
       |> json_response(404)
 
       response =
-        build_conn()
-        |> assign(:user, other_user)
-        |> get("/api/v1/statuses/#{activity.id}/favourited_by")
+        conn
+        |> get(favourited_by_url)
         |> json_response(200)
 
       [%{"id" => id}] = response
@@ -1163,15 +1055,12 @@ test "requires authentification for private posts", %{conn: conn, user: user} do
   end
 
   describe "GET /api/v1/statuses/:id/reblogged_by" do
-    setup do
-      user = insert(:user)
+    setup do: oauth_access(["read:accounts"])
+
+    setup %{user: user} do
       {:ok, activity} = CommonAPI.post(user, %{"status" => "test"})
 
-      conn =
-        build_conn()
-        |> assign(:user, user)
-
-      [conn: conn, activity: activity, user: user]
+      %{activity: activity}
     end
 
     test "returns users who have reblogged the status", %{conn: conn, activity: activity} do
@@ -1211,7 +1100,6 @@ test "does not return users who have reblogged the status but are blocked", %{
 
       response =
         conn
-        |> assign(:user, user)
         |> get("/api/v1/statuses/#{activity.id}/reblogged_by")
         |> json_response(:ok)
 
@@ -1219,7 +1107,7 @@ test "does not return users who have reblogged the status but are blocked", %{
     end
 
     test "does not return users who have reblogged the status privately", %{
-      conn: %{assigns: %{user: user}} = conn,
+      conn: conn,
       activity: activity
     } do
       other_user = insert(:user)
@@ -1228,20 +1116,18 @@ test "does not return users who have reblogged the status privately", %{
 
       response =
         conn
-        |> assign(:user, user)
         |> get("/api/v1/statuses/#{activity.id}/reblogged_by")
         |> json_response(:ok)
 
       assert Enum.empty?(response)
     end
 
-    test "does not fail on an unauthenticated request", %{conn: conn, activity: activity} do
+    test "does not fail on an unauthenticated request", %{activity: activity} do
       other_user = insert(:user)
       {:ok, _, _} = CommonAPI.repeat(activity.id, other_user)
 
       response =
-        conn
-        |> assign(:user, nil)
+        build_conn()
         |> get("/api/v1/statuses/#{activity.id}/reblogged_by")
         |> json_response(:ok)
 
@@ -1249,7 +1135,7 @@ test "does not fail on an unauthenticated request", %{conn: conn, activity: acti
       assert id == other_user.id
     end
 
-    test "requires authentification for private posts", %{conn: conn, user: user} do
+    test "requires authentication for private posts", %{user: user} do
       other_user = insert(:user)
 
       {:ok, activity} =
@@ -1258,14 +1144,14 @@ test "requires authentification for private posts", %{conn: conn, user: user} do
           "visibility" => "direct"
         })
 
-      conn
-      |> assign(:user, nil)
+      build_conn()
       |> get("/api/v1/statuses/#{activity.id}/reblogged_by")
       |> json_response(404)
 
       response =
         build_conn()
         |> assign(:user, other_user)
+        |> assign(:token, insert(:oauth_token, user: other_user, scopes: ["read:accounts"]))
         |> get("/api/v1/statuses/#{activity.id}/reblogged_by")
         |> json_response(200)
 
@@ -1284,7 +1170,6 @@ test "context" do
 
     response =
       build_conn()
-      |> assign(:user, nil)
       |> get("/api/v1/statuses/#{id3}/context")
       |> json_response(:ok)
 
@@ -1294,8 +1179,8 @@ test "context" do
            } = response
   end
 
-  test "returns the favorites of a user", %{conn: conn} do
-    user = insert(:user)
+  test "returns the favorites of a user" do
+    %{user: user, conn: conn} = oauth_access(["read:favourites"])
     other_user = insert(:user)
 
     {:ok, _} = CommonAPI.post(other_user, %{"status" => "bla"})
@@ -1303,10 +1188,7 @@ test "returns the favorites of a user", %{conn: conn} do
 
     {:ok, _, _} = CommonAPI.favorite(activity.id, user)
 
-    first_conn =
-      conn
-      |> assign(:user, user)
-      |> get("/api/v1/favourites")
+    first_conn = get(conn, "/api/v1/favourites")
 
     assert [status] = json_response(first_conn, 200)
     assert status["id"] == to_string(activity.id)
@@ -1325,18 +1207,12 @@ test "returns the favorites of a user", %{conn: conn} do
 
     last_like = status["id"]
 
-    second_conn =
-      conn
-      |> assign(:user, user)
-      |> get("/api/v1/favourites?since_id=#{last_like}")
+    second_conn = get(conn, "/api/v1/favourites?since_id=#{last_like}")
 
     assert [second_status] = json_response(second_conn, 200)
     assert second_status["id"] == to_string(second_activity.id)
 
-    third_conn =
-      conn
-      |> assign(:user, user)
-      |> get("/api/v1/favourites?limit=0")
+    third_conn = get(conn, "/api/v1/favourites?limit=0")
 
     assert [] = json_response(third_conn, 200)
   end
diff --git a/test/web/oauth/oauth_controller_test.exs b/test/web/oauth/oauth_controller_test.exs
index 901f2ae41..9cc534f57 100644
--- a/test/web/oauth/oauth_controller_test.exs
+++ b/test/web/oauth/oauth_controller_test.exs
@@ -450,7 +450,7 @@ test "properly handles internal calls with `authorization`-wrapped params", %{
 
     test "renders authentication page if user is already authenticated but `force_login` is tru-ish",
          %{app: app, conn: conn} do
-      token = insert(:oauth_token, app_id: app.id)
+      token = insert(:oauth_token, app: app)
 
       conn =
         conn
@@ -474,7 +474,7 @@ test "renders authentication page if user is already authenticated but user requ
            app: app,
            conn: conn
          } do
-      token = insert(:oauth_token, app_id: app.id)
+      token = insert(:oauth_token, app: app)
 
       conn =
         conn
@@ -497,7 +497,7 @@ test "with existing authentication and non-OOB `redirect_uri`, redirects to app
            app: app,
            conn: conn
          } do
-      token = insert(:oauth_token, app_id: app.id)
+      token = insert(:oauth_token, app: app)
 
       conn =
         conn
@@ -523,7 +523,7 @@ test "with existing authentication and unlisted non-OOB `redirect_uri`, redirect
            conn: conn
          } do
       unlisted_redirect_uri = "http://cross-site-request.com"
-      token = insert(:oauth_token, app_id: app.id)
+      token = insert(:oauth_token, app: app)
 
       conn =
         conn
@@ -547,7 +547,7 @@ test "with existing authentication and OOB `redirect_uri`, redirects to app with
            app: app,
            conn: conn
          } do
-      token = insert(:oauth_token, app_id: app.id)
+      token = insert(:oauth_token, app: app)
 
       conn =
         conn
diff --git a/test/web/pleroma_api/controllers/pleroma_api_controller_test.exs b/test/web/pleroma_api/controllers/pleroma_api_controller_test.exs
index b1b59beed..3f7ef13bc 100644
--- a/test/web/pleroma_api/controllers/pleroma_api_controller_test.exs
+++ b/test/web/pleroma_api/controllers/pleroma_api_controller_test.exs
@@ -23,6 +23,7 @@ test "POST /api/v1/pleroma/statuses/:id/react_with_emoji", %{conn: conn} do
     result =
       conn
       |> assign(:user, other_user)
+      |> assign(:token, insert(:oauth_token, user: other_user, scopes: ["write:statuses"]))
       |> post("/api/v1/pleroma/statuses/#{activity.id}/react_with_emoji", %{"emoji" => "☕"})
 
     assert %{"id" => id} = json_response(result, 200)
@@ -39,6 +40,7 @@ test "POST /api/v1/pleroma/statuses/:id/unreact_with_emoji", %{conn: conn} do
     result =
       conn
       |> assign(:user, other_user)
+      |> assign(:token, insert(:oauth_token, user: other_user, scopes: ["write:statuses"]))
       |> post("/api/v1/pleroma/statuses/#{activity.id}/unreact_with_emoji", %{"emoji" => "☕"})
 
     assert %{"id" => id} = json_response(result, 200)
@@ -55,6 +57,11 @@ test "GET /api/v1/pleroma/statuses/:id/emoji_reactions_by", %{conn: conn} do
 
     {:ok, activity} = CommonAPI.post(user, %{"status" => "#cofe"})
 
+    conn =
+      conn
+      |> assign(:user, user)
+      |> assign(:token, insert(:oauth_token, user: user, scopes: ["read:statuses"]))
+
     result =
       conn
       |> get("/api/v1/pleroma/statuses/#{activity.id}/emoji_reactions_by")
@@ -73,9 +80,9 @@ test "GET /api/v1/pleroma/statuses/:id/emoji_reactions_by", %{conn: conn} do
     assert represented_user["id"] == other_user.id
   end
 
-  test "/api/v1/pleroma/conversations/:id", %{conn: conn} do
+  test "/api/v1/pleroma/conversations/:id" do
     user = insert(:user)
-    other_user = insert(:user)
+    %{user: other_user, conn: conn} = oauth_access(["read:statuses"])
 
     {:ok, _activity} =
       CommonAPI.post(user, %{"status" => "Hi @#{other_user.nickname}!", "visibility" => "direct"})
@@ -84,16 +91,15 @@ test "/api/v1/pleroma/conversations/:id", %{conn: conn} do
 
     result =
       conn
-      |> assign(:user, other_user)
       |> get("/api/v1/pleroma/conversations/#{participation.id}")
       |> json_response(200)
 
     assert result["id"] == participation.id |> to_string()
   end
 
-  test "/api/v1/pleroma/conversations/:id/statuses", %{conn: conn} do
+  test "/api/v1/pleroma/conversations/:id/statuses" do
     user = insert(:user)
-    other_user = insert(:user)
+    %{user: other_user, conn: conn} = oauth_access(["read:statuses"])
     third_user = insert(:user)
 
     {:ok, _activity} =
@@ -113,7 +119,6 @@ test "/api/v1/pleroma/conversations/:id/statuses", %{conn: conn} do
 
     result =
       conn
-      |> assign(:user, other_user)
       |> get("/api/v1/pleroma/conversations/#{participation.id}/statuses")
       |> json_response(200)
 
@@ -124,8 +129,8 @@ test "/api/v1/pleroma/conversations/:id/statuses", %{conn: conn} do
     assert [%{"id" => ^id_one}, %{"id" => ^id_two}] = result
   end
 
-  test "PATCH /api/v1/pleroma/conversations/:id", %{conn: conn} do
-    user = insert(:user)
+  test "PATCH /api/v1/pleroma/conversations/:id" do
+    %{user: user, conn: conn} = oauth_access(["write:conversations"])
     other_user = insert(:user)
 
     {:ok, _activity} = CommonAPI.post(user, %{"status" => "Hi", "visibility" => "direct"})
@@ -140,7 +145,6 @@ test "PATCH /api/v1/pleroma/conversations/:id", %{conn: conn} do
 
     result =
       conn
-      |> assign(:user, user)
       |> patch("/api/v1/pleroma/conversations/#{participation.id}", %{
         "recipients" => [user.id, other_user.id]
       })
@@ -155,9 +159,9 @@ test "PATCH /api/v1/pleroma/conversations/:id", %{conn: conn} do
     assert other_user in participation.recipients
   end
 
-  test "POST /api/v1/pleroma/conversations/read", %{conn: conn} do
+  test "POST /api/v1/pleroma/conversations/read" do
     user = insert(:user)
-    other_user = insert(:user)
+    %{user: other_user, conn: conn} = oauth_access(["write:notifications"])
 
     {:ok, _activity} =
       CommonAPI.post(user, %{"status" => "Hi @#{other_user.nickname}", "visibility" => "direct"})
@@ -172,7 +176,6 @@ test "POST /api/v1/pleroma/conversations/read", %{conn: conn} do
 
     [%{"unread" => false}, %{"unread" => false}] =
       conn
-      |> assign(:user, other_user)
       |> post("/api/v1/pleroma/conversations/read", %{})
       |> json_response(200)
 
@@ -183,8 +186,9 @@ test "POST /api/v1/pleroma/conversations/read", %{conn: conn} do
   end
 
   describe "POST /api/v1/pleroma/notifications/read" do
-    test "it marks a single notification as read", %{conn: conn} do
-      user1 = insert(:user)
+    setup do: oauth_access(["write:notifications"])
+
+    test "it marks a single notification as read", %{user: user1, conn: conn} do
       user2 = insert(:user)
       {:ok, activity1} = CommonAPI.post(user2, %{"status" => "hi @#{user1.nickname}"})
       {:ok, activity2} = CommonAPI.post(user2, %{"status" => "hi @#{user1.nickname}"})
@@ -193,7 +197,6 @@ test "it marks a single notification as read", %{conn: conn} do
 
       response =
         conn
-        |> assign(:user, user1)
         |> post("/api/v1/pleroma/notifications/read", %{"id" => "#{notification1.id}"})
         |> json_response(:ok)
 
@@ -202,8 +205,7 @@ test "it marks a single notification as read", %{conn: conn} do
       refute Repo.get(Notification, notification2.id).seen
     end
 
-    test "it marks multiple notifications as read", %{conn: conn} do
-      user1 = insert(:user)
+    test "it marks multiple notifications as read", %{user: user1, conn: conn} do
       user2 = insert(:user)
       {:ok, _activity1} = CommonAPI.post(user2, %{"status" => "hi @#{user1.nickname}"})
       {:ok, _activity2} = CommonAPI.post(user2, %{"status" => "hi @#{user1.nickname}"})
@@ -213,7 +215,6 @@ test "it marks multiple notifications as read", %{conn: conn} do
 
       [response1, response2] =
         conn
-        |> assign(:user, user1)
         |> post("/api/v1/pleroma/notifications/read", %{"max_id" => "#{notification2.id}"})
         |> json_response(:ok)
 
@@ -225,11 +226,8 @@ test "it marks multiple notifications as read", %{conn: conn} do
     end
 
     test "it returns error when notification not found", %{conn: conn} do
-      user1 = insert(:user)
-
       response =
         conn
-        |> assign(:user, user1)
         |> post("/api/v1/pleroma/notifications/read", %{"id" => "22222222222222"})
         |> json_response(:bad_request)
 
diff --git a/test/web/twitter_api/util_controller_test.exs b/test/web/twitter_api/util_controller_test.exs
index 734cd2211..9bfaba9d3 100644
--- a/test/web/twitter_api/util_controller_test.exs
+++ b/test/web/twitter_api/util_controller_test.exs
@@ -6,10 +6,10 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
   use Pleroma.Web.ConnCase
   use Oban.Testing, repo: Pleroma.Repo
 
-  alias Pleroma.Repo
   alias Pleroma.Tests.ObanHelpers
   alias Pleroma.User
   alias Pleroma.Web.CommonAPI
+
   import ExUnit.CaptureLog
   import Pleroma.Factory
   import Mock
@@ -24,21 +24,20 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
   clear_config([:user, :deny_follow_blocked])
 
   describe "POST /api/pleroma/follow_import" do
+    setup do: oauth_access(["follow"])
+
     test "it returns HTTP 200", %{conn: conn} do
-      user1 = insert(:user)
       user2 = insert(:user)
 
       response =
         conn
-        |> assign(:user, user1)
         |> post("/api/pleroma/follow_import", %{"list" => "#{user2.ap_id}"})
         |> json_response(:ok)
 
       assert response == "job started"
     end
 
-    test "it imports follow lists from file", %{conn: conn} do
-      user1 = insert(:user)
+    test "it imports follow lists from file", %{user: user1, conn: conn} do
       user2 = insert(:user)
 
       with_mocks([
@@ -49,7 +48,6 @@ test "it imports follow lists from file", %{conn: conn} do
       ]) do
         response =
           conn
-          |> assign(:user, user1)
           |> post("/api/pleroma/follow_import", %{"list" => %Plug.Upload{path: "follow_list.txt"}})
           |> json_response(:ok)
 
@@ -67,12 +65,10 @@ test "it imports follow lists from file", %{conn: conn} do
     end
 
     test "it imports new-style mastodon follow lists", %{conn: conn} do
-      user1 = insert(:user)
       user2 = insert(:user)
 
       response =
         conn
-        |> assign(:user, user1)
         |> post("/api/pleroma/follow_import", %{
           "list" => "Account address,Show boosts\n#{user2.ap_id},true"
         })
@@ -81,7 +77,7 @@ test "it imports new-style mastodon follow lists", %{conn: conn} do
       assert response == "job started"
     end
 
-    test "requires 'follow' or 'write:follows' permissions", %{conn: conn} do
+    test "requires 'follow' or 'write:follows' permissions" do
       token1 = insert(:oauth_token, scopes: ["read", "write"])
       token2 = insert(:oauth_token, scopes: ["follow"])
       token3 = insert(:oauth_token, scopes: ["something"])
@@ -89,7 +85,7 @@ test "requires 'follow' or 'write:follows' permissions", %{conn: conn} do
 
       for token <- [token1, token2, token3] do
         conn =
-          conn
+          build_conn()
           |> put_req_header("authorization", "Bearer #{token.token}")
           |> post("/api/pleroma/follow_import", %{"list" => "#{another_user.ap_id}"})
 
@@ -104,21 +100,21 @@ test "requires 'follow' or 'write:follows' permissions", %{conn: conn} do
   end
 
   describe "POST /api/pleroma/blocks_import" do
+    # Note: "follow" or "write:blocks" permission is required
+    setup do: oauth_access(["write:blocks"])
+
     test "it returns HTTP 200", %{conn: conn} do
-      user1 = insert(:user)
       user2 = insert(:user)
 
       response =
         conn
-        |> assign(:user, user1)
         |> post("/api/pleroma/blocks_import", %{"list" => "#{user2.ap_id}"})
         |> json_response(:ok)
 
       assert response == "job started"
     end
 
-    test "it imports blocks users from file", %{conn: conn} do
-      user1 = insert(:user)
+    test "it imports blocks users from file", %{user: user1, conn: conn} do
       user2 = insert(:user)
       user3 = insert(:user)
 
@@ -127,7 +123,6 @@ test "it imports blocks users from file", %{conn: conn} do
       ]) do
         response =
           conn
-          |> assign(:user, user1)
           |> post("/api/pleroma/blocks_import", %{"list" => %Plug.Upload{path: "blocks_list.txt"}})
           |> json_response(:ok)
 
@@ -146,18 +141,17 @@ test "it imports blocks users from file", %{conn: conn} do
   end
 
   describe "PUT /api/pleroma/notification_settings" do
-    test "it updates notification settings", %{conn: conn} do
-      user = insert(:user)
+    setup do: oauth_access(["write:accounts"])
 
+    test "it updates notification settings", %{user: user, conn: conn} do
       conn
-      |> assign(:user, user)
       |> put("/api/pleroma/notification_settings", %{
         "followers" => false,
         "bar" => 1
       })
       |> json_response(:ok)
 
-      user = Repo.get(User, user.id)
+      user = refresh_record(user)
 
       assert %Pleroma.User.NotificationSetting{
                followers: false,
@@ -168,11 +162,8 @@ test "it updates notification settings", %{conn: conn} do
              } == user.notification_settings
     end
 
-    test "it update notificatin privacy option", %{conn: conn} do
-      user = insert(:user)
-
+    test "it updates notification privacy option", %{user: user, conn: conn} do
       conn
-      |> assign(:user, user)
       |> put("/api/pleroma/notification_settings", %{"privacy_option" => "1"})
       |> json_response(:ok)
 
@@ -374,14 +365,14 @@ test "show follow page with error when user cannot fecth by `acct` link", %{conn
     end
   end
 
-  describe "POST /ostatus_subscribe - do_remote_follow/2 with assigned user " do
-    test "follows user", %{conn: conn} do
-      user = insert(:user)
+  describe "POST /ostatus_subscribe - do_remote_follow/2 with assigned user" do
+    setup do: oauth_access(["follow"])
+
+    test "follows user", %{user: user, conn: conn} do
       user2 = insert(:user)
 
       response =
         conn
-        |> assign(:user, user)
         |> post("/ostatus_subscribe", %{"user" => %{"id" => user2.id}})
         |> response(200)
 
@@ -389,55 +380,63 @@ test "follows user", %{conn: conn} do
       assert user2.follower_address in User.following(user)
     end
 
-    test "returns error when user is deactivated", %{conn: conn} do
+    test "returns error when user is deactivated" do
       user = insert(:user, deactivated: true)
       user2 = insert(:user)
 
       response =
-        conn
+        build_conn()
         |> assign(:user, user)
+        |> assign(:token, insert(:oauth_token, user: user, scopes: ["follow"]))
         |> post("/ostatus_subscribe", %{"user" => %{"id" => user2.id}})
         |> response(200)
 
       assert response =~ "Error following account"
     end
 
-    test "returns error when user is blocked", %{conn: conn} do
+    test "returns error when user is blocked", %{user: user, conn: conn} do
       Pleroma.Config.put([:user, :deny_follow_blocked], true)
-      user = insert(:user)
       user2 = insert(:user)
 
       {:ok, _user_block} = Pleroma.User.block(user2, user)
 
       response =
         conn
-        |> assign(:user, user)
         |> post("/ostatus_subscribe", %{"user" => %{"id" => user2.id}})
         |> response(200)
 
       assert response =~ "Error following account"
     end
 
-    test "returns error when followee not found", %{conn: conn} do
-      user = insert(:user)
+    test "returns error on insufficient permissions", %{user: user, conn: conn} do
+      user2 = insert(:user)
 
+      for token <- [nil, insert(:oauth_token, user: user, scopes: ["read"])] do
+        response =
+          conn
+          |> assign(:token, token)
+          |> post("/ostatus_subscribe", %{"user" => %{"id" => user2.id}})
+          |> response(200)
+
+        assert response =~ "Error following account"
+      end
+    end
+
+    test "returns error when followee not found", %{conn: conn} do
       response =
         conn
-        |> assign(:user, user)
         |> post("/ostatus_subscribe", %{"user" => %{"id" => "jimm"}})
         |> response(200)
 
       assert response =~ "Error following account"
     end
 
-    test "returns success result when user already in followers", %{conn: conn} do
-      user = insert(:user)
+    test "returns success result when user already in followers", %{user: user, conn: conn} do
       user2 = insert(:user)
       {:ok, _, _, _} = CommonAPI.follow(user, user2)
 
       response =
         conn
-        |> assign(:user, refresh_record(user))
         |> post("/ostatus_subscribe", %{"user" => %{"id" => user2.id}})
         |> response(200)
 
@@ -445,7 +444,7 @@ test "returns success result when user already in followers", %{conn: conn} do
     end
   end
 
-  describe "POST /ostatus_subscribe - do_remote_follow/2 without assigned user " do
+  describe "POST /ostatus_subscribe - do_remote_follow/2 without assigned user" do
     test "follows", %{conn: conn} do
       user = insert(:user)
       user2 = insert(:user)
@@ -552,7 +551,7 @@ test "returns 200 when healthcheck enabled and all ok", %{conn: conn} do
       end
     end
 
-    test "returns 503 when healthcheck enabled and  health is false", %{conn: conn} do
+    test "returns 503 when healthcheck enabled and health is false", %{conn: conn} do
       Pleroma.Config.put([:instance, :healthcheck], true)
 
       with_mock Pleroma.Healthcheck,
@@ -574,12 +573,11 @@ test "returns 503 when healthcheck enabled and  health is false", %{conn: conn}
   end
 
   describe "POST /api/pleroma/disable_account" do
-    test "it returns HTTP 200", %{conn: conn} do
-      user = insert(:user)
+    setup do: oauth_access(["write:accounts"])
 
+    test "with valid permissions and password, it disables the account", %{conn: conn, user: user} do
       response =
         conn
-        |> assign(:user, user)
         |> post("/api/pleroma/disable_account", %{"password" => "test"})
         |> json_response(:ok)
 
@@ -591,12 +589,11 @@ test "it returns HTTP 200", %{conn: conn} do
       assert user.deactivated == true
     end
 
-    test "it returns returns when password invalid", %{conn: conn} do
+    test "with valid permissions and invalid password, it returns an error", %{conn: conn} do
       user = insert(:user)
 
       response =
         conn
-        |> assign(:user, user)
         |> post("/api/pleroma/disable_account", %{"password" => "test1"})
         |> json_response(:ok)
 
@@ -666,7 +663,7 @@ test "it redirect to webfinger url", %{conn: conn} do
                "https://social.heldscal.la/main/ostatussub?profile=#{user.ap_id}"
     end
 
-    test "it renders form with error when use not found", %{conn: conn} do
+    test "it renders form with error when user not found", %{conn: conn} do
       user2 = insert(:user, ap_id: "shp@social.heldscal.la")
 
       response =
@@ -691,29 +688,21 @@ test "it returns new captcha", %{conn: conn} do
     end
   end
 
-  defp with_credentials(conn, username, password) do
-    header_content = "Basic " <> Base.encode64("#{username}:#{password}")
-    put_req_header(conn, "authorization", header_content)
-  end
-
-  defp valid_user(_context) do
-    user = insert(:user)
-    [user: user]
-  end
-
   describe "POST /api/pleroma/change_email" do
-    setup [:valid_user]
+    setup do: oauth_access(["write:accounts"])
 
-    test "without credentials", %{conn: conn} do
-      conn = post(conn, "/api/pleroma/change_email")
-      assert json_response(conn, 403) == %{"error" => "Invalid credentials."}
-    end
-
-    test "with credentials and invalid password", %{conn: conn, user: current_user} do
+    test "without permissions", %{conn: conn} do
       conn =
         conn
-        |> with_credentials(current_user.nickname, "test")
-        |> post("/api/pleroma/change_email", %{
+        |> assign(:token, nil)
+        |> post("/api/pleroma/change_email")
+
+      assert json_response(conn, 403) == %{"error" => "Insufficient permissions: write:accounts."}
+    end
+
+    test "with proper permissions and invalid password", %{conn: conn} do
+      conn =
+        post(conn, "/api/pleroma/change_email", %{
           "password" => "hi",
           "email" => "test@test.com"
         })
@@ -721,14 +710,11 @@ test "with credentials and invalid password", %{conn: conn, user: current_user}
       assert json_response(conn, 200) == %{"error" => "Invalid password."}
     end
 
-    test "with credentials, valid password and invalid email", %{
-      conn: conn,
-      user: current_user
+    test "with proper permissions, valid password and invalid email", %{
+      conn: conn
     } do
       conn =
-        conn
-        |> with_credentials(current_user.nickname, "test")
-        |> post("/api/pleroma/change_email", %{
+        post(conn, "/api/pleroma/change_email", %{
           "password" => "test",
           "email" => "foobar"
         })
@@ -736,28 +722,22 @@ test "with credentials, valid password and invalid email", %{
       assert json_response(conn, 200) == %{"error" => "Email has invalid format."}
     end
 
-    test "with credentials, valid password and no email", %{
-      conn: conn,
-      user: current_user
+    test "with proper permissions, valid password and no email", %{
+      conn: conn
     } do
       conn =
-        conn
-        |> with_credentials(current_user.nickname, "test")
-        |> post("/api/pleroma/change_email", %{
+        post(conn, "/api/pleroma/change_email", %{
           "password" => "test"
         })
 
       assert json_response(conn, 200) == %{"error" => "Email can't be blank."}
     end
 
-    test "with credentials, valid password and blank email", %{
-      conn: conn,
-      user: current_user
+    test "with proper permissions, valid password and blank email", %{
+      conn: conn
     } do
       conn =
-        conn
-        |> with_credentials(current_user.nickname, "test")
-        |> post("/api/pleroma/change_email", %{
+        post(conn, "/api/pleroma/change_email", %{
           "password" => "test",
           "email" => ""
         })
@@ -765,16 +745,13 @@ test "with credentials, valid password and blank email", %{
       assert json_response(conn, 200) == %{"error" => "Email can't be blank."}
     end
 
-    test "with credentials, valid password and non unique email", %{
-      conn: conn,
-      user: current_user
+    test "with proper permissions, valid password and non unique email", %{
+      conn: conn
     } do
       user = insert(:user)
 
       conn =
-        conn
-        |> with_credentials(current_user.nickname, "test")
-        |> post("/api/pleroma/change_email", %{
+        post(conn, "/api/pleroma/change_email", %{
           "password" => "test",
           "email" => user.email
         })
@@ -782,14 +759,11 @@ test "with credentials, valid password and non unique email", %{
       assert json_response(conn, 200) == %{"error" => "Email has already been taken."}
     end
 
-    test "with credentials, valid password and valid email", %{
-      conn: conn,
-      user: current_user
+    test "with proper permissions, valid password and valid email", %{
+      conn: conn
     } do
       conn =
-        conn
-        |> with_credentials(current_user.nickname, "test")
-        |> post("/api/pleroma/change_email", %{
+        post(conn, "/api/pleroma/change_email", %{
           "password" => "test",
           "email" => "cofe@foobar.com"
         })
@@ -799,18 +773,20 @@ test "with credentials, valid password and valid email", %{
   end
 
   describe "POST /api/pleroma/change_password" do
-    setup [:valid_user]
+    setup do: oauth_access(["write:accounts"])
 
-    test "without credentials", %{conn: conn} do
-      conn = post(conn, "/api/pleroma/change_password")
-      assert json_response(conn, 403) == %{"error" => "Invalid credentials."}
-    end
-
-    test "with credentials and invalid password", %{conn: conn, user: current_user} do
+    test "without permissions", %{conn: conn} do
       conn =
         conn
-        |> with_credentials(current_user.nickname, "test")
-        |> post("/api/pleroma/change_password", %{
+        |> assign(:token, nil)
+        |> post("/api/pleroma/change_password")
+
+      assert json_response(conn, 403) == %{"error" => "Insufficient permissions: write:accounts."}
+    end
+
+    test "with proper permissions and invalid password", %{conn: conn} do
+      conn =
+        post(conn, "/api/pleroma/change_password", %{
           "password" => "hi",
           "new_password" => "newpass",
           "new_password_confirmation" => "newpass"
@@ -819,14 +795,12 @@ test "with credentials and invalid password", %{conn: conn, user: current_user}
       assert json_response(conn, 200) == %{"error" => "Invalid password."}
     end
 
-    test "with credentials, valid password and new password and confirmation not matching", %{
-      conn: conn,
-      user: current_user
-    } do
+    test "with proper permissions, valid password and new password and confirmation not matching",
+         %{
+           conn: conn
+         } do
       conn =
-        conn
-        |> with_credentials(current_user.nickname, "test")
-        |> post("/api/pleroma/change_password", %{
+        post(conn, "/api/pleroma/change_password", %{
           "password" => "test",
           "new_password" => "newpass",
           "new_password_confirmation" => "notnewpass"
@@ -837,14 +811,11 @@ test "with credentials, valid password and new password and confirmation not mat
              }
     end
 
-    test "with credentials, valid password and invalid new password", %{
-      conn: conn,
-      user: current_user
+    test "with proper permissions, valid password and invalid new password", %{
+      conn: conn
     } do
       conn =
-        conn
-        |> with_credentials(current_user.nickname, "test")
-        |> post("/api/pleroma/change_password", %{
+        post(conn, "/api/pleroma/change_password", %{
           "password" => "test",
           "new_password" => "",
           "new_password_confirmation" => ""
@@ -855,51 +826,48 @@ test "with credentials, valid password and invalid new password", %{
              }
     end
 
-    test "with credentials, valid password and matching new password and confirmation", %{
+    test "with proper permissions, valid password and matching new password and confirmation", %{
       conn: conn,
-      user: current_user
+      user: user
     } do
       conn =
-        conn
-        |> with_credentials(current_user.nickname, "test")
-        |> post("/api/pleroma/change_password", %{
+        post(conn, "/api/pleroma/change_password", %{
           "password" => "test",
           "new_password" => "newpass",
           "new_password_confirmation" => "newpass"
         })
 
       assert json_response(conn, 200) == %{"status" => "success"}
-      fetched_user = User.get_cached_by_id(current_user.id)
+      fetched_user = User.get_cached_by_id(user.id)
       assert Comeonin.Pbkdf2.checkpw("newpass", fetched_user.password_hash) == true
     end
   end
 
   describe "POST /api/pleroma/delete_account" do
-    setup [:valid_user]
+    setup do: oauth_access(["write:accounts"])
 
-    test "without credentials", %{conn: conn} do
-      conn = post(conn, "/api/pleroma/delete_account")
-      assert json_response(conn, 403) == %{"error" => "Invalid credentials."}
-    end
-
-    test "with credentials and invalid password", %{conn: conn, user: current_user} do
+    test "without permissions", %{conn: conn} do
       conn =
         conn
-        |> with_credentials(current_user.nickname, "test")
-        |> post("/api/pleroma/delete_account", %{"password" => "hi"})
+        |> assign(:token, nil)
+        |> post("/api/pleroma/delete_account")
 
-      assert json_response(conn, 200) == %{"error" => "Invalid password."}
+      assert json_response(conn, 403) ==
+               %{"error" => "Insufficient permissions: write:accounts."}
     end
 
-    test "with credentials and valid password", %{conn: conn, user: current_user} do
-      conn =
-        conn
-        |> with_credentials(current_user.nickname, "test")
-        |> post("/api/pleroma/delete_account", %{"password" => "test"})
+    test "with proper permissions and wrong or missing password", %{conn: conn} do
+      for params <- [%{"password" => "hi"}, %{}] do
+        ret_conn = post(conn, "/api/pleroma/delete_account", params)
+
+        assert json_response(ret_conn, 200) == %{"error" => "Invalid password."}
+      end
+    end
+
+    test "with proper permissions and valid password", %{conn: conn} do
+      conn = post(conn, "/api/pleroma/delete_account", %{"password" => "test"})
 
       assert json_response(conn, 200) == %{"status" => "success"}
-      # Wait a second for the started task to end
-      :timer.sleep(1000)
     end
   end
 end