Chat moderation: add tests for unauthorized access

This commit is contained in:
Alex Gleason 2020-09-11 14:00:34 -05:00
parent e229536e5c
commit dfb831ca39
No known key found for this signature in database
GPG key ID: 7211D1F99744FBB7
3 changed files with 109 additions and 2 deletions

View file

@ -1395,7 +1395,7 @@ Loads json generated from `config/descriptions.exs`.
### List the messages in a chat ### List the messages in a chat
- Params: None - Params: `max_id`, `min_id`
- Response: - Response:

View file

@ -1528,6 +1528,35 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
end end
end end
describe "GET /api/pleroma/admin/users/:nickname/chats unauthorized" do
setup do
user = insert(:user)
insert(:chat, user: user)
%{conn: conn} = oauth_access(["read:chats"])
%{conn: conn, user: user}
end
test "returns 403", %{conn: conn, user: user} do
conn
|> get("/api/pleroma/admin/users/#{user.nickname}/chats")
|> json_response(403)
end
end
describe "GET /api/pleroma/admin/users/:nickname/chats unauthenticated" do
setup do
user = insert(:user)
insert(:chat, user: user)
%{conn: build_conn(), user: user}
end
test "returns 403", %{conn: conn, user: user} do
conn
|> get("/api/pleroma/admin/users/#{user.nickname}/chats")
|> json_response(403)
end
end
describe "GET /api/pleroma/admin/moderation_log" do describe "GET /api/pleroma/admin/moderation_log" do
setup do setup do
moderator = insert(:user, is_moderator: true) moderator = insert(:user, is_moderator: true)

View file

@ -15,7 +15,7 @@ defmodule Pleroma.Web.AdminAPI.ChatControllerTest do
alias Pleroma.Repo alias Pleroma.Repo
alias Pleroma.Web.CommonAPI alias Pleroma.Web.CommonAPI
setup do defp admin_setup do
admin = insert(:user, is_admin: true) admin = insert(:user, is_admin: true)
token = insert(:oauth_admin_token, user: admin) token = insert(:oauth_admin_token, user: admin)
@ -28,6 +28,8 @@ defmodule Pleroma.Web.AdminAPI.ChatControllerTest do
end end
describe "DELETE /api/pleroma/admin/chats/:id/messages/:message_id" do describe "DELETE /api/pleroma/admin/chats/:id/messages/:message_id" do
setup do: admin_setup()
test "it deletes a message from the chat", %{conn: conn, admin: admin} do test "it deletes a message from the chat", %{conn: conn, admin: admin} do
user = insert(:user) user = insert(:user)
recipient = insert(:user) recipient = insert(:user)
@ -59,6 +61,8 @@ defmodule Pleroma.Web.AdminAPI.ChatControllerTest do
end end
describe "GET /api/pleroma/admin/chats/:id/messages" do describe "GET /api/pleroma/admin/chats/:id/messages" do
setup do: admin_setup()
test "it paginates", %{conn: conn} do test "it paginates", %{conn: conn} do
user = insert(:user) user = insert(:user)
recipient = insert(:user) recipient = insert(:user)
@ -111,6 +115,8 @@ defmodule Pleroma.Web.AdminAPI.ChatControllerTest do
end end
describe "GET /api/pleroma/admin/chats/:id" do describe "GET /api/pleroma/admin/chats/:id" do
setup do: admin_setup()
test "it returns a chat", %{conn: conn} do test "it returns a chat", %{conn: conn} do
user = insert(:user) user = insert(:user)
other_user = insert(:user) other_user = insert(:user)
@ -128,4 +134,76 @@ defmodule Pleroma.Web.AdminAPI.ChatControllerTest do
refute result["account"] refute result["account"]
end end
end end
describe "unauthorized chat moderation" do
setup do
user = insert(:user)
recipient = insert(:user)
{:ok, message} = CommonAPI.post_chat_message(user, recipient, "Yo")
object = Object.normalize(message, false)
chat = Chat.get(user.id, recipient.ap_id)
cm_ref = MessageReference.for_chat_and_object(chat, object)
%{conn: conn} = oauth_access(["read:chats", "write:chats"])
%{conn: conn, chat: chat, cm_ref: cm_ref}
end
test "DELETE /api/pleroma/admin/chats/:id/messages/:message_id", %{conn: conn, chat: chat, cm_ref: cm_ref} do
conn
|> put_req_header("content-type", "application/json")
|> delete("/api/pleroma/admin/chats/#{chat.id}/messages/#{cm_ref.id}")
|> json_response(403)
assert MessageReference.get_by_id(cm_ref.id) == cm_ref
end
test "GET /api/pleroma/admin/chats/:id/messages", %{conn: conn, chat: chat} do
conn
|> get("/api/pleroma/admin/chats/#{chat.id}/messages")
|> json_response(403)
end
test "GET /api/pleroma/admin/chats/:id", %{conn: conn, chat: chat} do
conn
|> get("/api/pleroma/admin/chats/#{chat.id}")
|> json_response(403)
end
end
describe "unauthenticated chat moderation" do
setup do
user = insert(:user)
recipient = insert(:user)
{:ok, message} = CommonAPI.post_chat_message(user, recipient, "Yo")
object = Object.normalize(message, false)
chat = Chat.get(user.id, recipient.ap_id)
cm_ref = MessageReference.for_chat_and_object(chat, object)
%{conn: build_conn(), chat: chat, cm_ref: cm_ref}
end
test "DELETE /api/pleroma/admin/chats/:id/messages/:message_id", %{conn: conn, chat: chat, cm_ref: cm_ref} do
conn
|> put_req_header("content-type", "application/json")
|> delete("/api/pleroma/admin/chats/#{chat.id}/messages/#{cm_ref.id}")
|> json_response(403)
assert MessageReference.get_by_id(cm_ref.id) == cm_ref
end
test "GET /api/pleroma/admin/chats/:id/messages", %{conn: conn, chat: chat} do
conn
|> get("/api/pleroma/admin/chats/#{chat.id}/messages")
|> json_response(403)
end
test "GET /api/pleroma/admin/chats/:id", %{conn: conn, chat: chat} do
conn
|> get("/api/pleroma/admin/chats/#{chat.id}")
|> json_response(403)
end
end
end end