MediaController OAuth scope assignments fix.

Typo fix (`def get_media` instead of `def show`).
This commit is contained in:
Ivan Tashkinov 2020-05-17 08:46:43 +03:00
parent d96f8f17e8
commit af9dfdce6b
2 changed files with 15 additions and 5 deletions

View file

@ -14,7 +14,8 @@ defmodule Pleroma.Web.MastodonAPI.MediaController do
plug(Pleroma.Web.ApiSpec.CastAndValidate) plug(Pleroma.Web.ApiSpec.CastAndValidate)
plug(:put_view, Pleroma.Web.MastodonAPI.StatusView) plug(:put_view, Pleroma.Web.MastodonAPI.StatusView)
plug(OAuthScopesPlug, %{scopes: ["write:media"]}) plug(OAuthScopesPlug, %{scopes: ["read:media"]} when action == :show)
plug(OAuthScopesPlug, %{scopes: ["write:media"]} when action != :show)
defdelegate open_api_operation(action), to: Pleroma.Web.ApiSpec.MediaOperation defdelegate open_api_operation(action), to: Pleroma.Web.ApiSpec.MediaOperation
@ -65,6 +66,7 @@ def update(%{assigns: %{user: user}, body_params: %{description: description}} =
def update(conn, data), do: show(conn, data) def update(conn, data), do: show(conn, data)
# TODO: clarify: is the access to non-owned objects granted intentionally?
@doc "GET /api/v1/media/:id" @doc "GET /api/v1/media/:id"
def show(conn, %{id: id}) do def show(conn, %{id: id}) do
with %Object{data: data, id: object_id} <- Object.get_by_id(id) do with %Object{data: data, id: object_id} <- Object.get_by_id(id) do
@ -74,5 +76,5 @@ def show(conn, %{id: id}) do
end end
end end
def get_media(_conn, _data), do: {:error, :bad_request} def show(_conn, _data), do: {:error, :bad_request}
end end

View file

@ -9,9 +9,9 @@ defmodule Pleroma.Web.MastodonAPI.MediaControllerTest do
alias Pleroma.User alias Pleroma.User
alias Pleroma.Web.ActivityPub.ActivityPub alias Pleroma.Web.ActivityPub.ActivityPub
setup do: oauth_access(["write:media"])
describe "Upload media" do describe "Upload media" do
setup do: oauth_access(["write:media"])
setup do setup do
image = %Plug.Upload{ image = %Plug.Upload{
content_type: "image/jpg", content_type: "image/jpg",
@ -42,7 +42,7 @@ test "/api/v1/media", %{conn: conn, image: image} do
assert object.data["actor"] == User.ap_id(conn.assigns[:user]) assert object.data["actor"] == User.ap_id(conn.assigns[:user])
end end
test "/api/v2/media", %{conn: conn, image: image} do test "/api/v2/media", %{conn: conn, user: user, image: image} do
desc = "Description of the image" desc = "Description of the image"
response = response =
@ -53,6 +53,8 @@ test "/api/v2/media", %{conn: conn, image: image} do
assert media_id = response["id"] assert media_id = response["id"]
%{conn: conn} = oauth_access(["read:media"], user: user)
media = media =
conn conn
|> get("/api/v1/media/#{media_id}") |> get("/api/v1/media/#{media_id}")
@ -62,11 +64,15 @@ test "/api/v2/media", %{conn: conn, image: image} do
assert media["description"] == desc assert media["description"] == desc
assert media["id"] assert media["id"]
object = Object.get_by_id(media["id"]) object = Object.get_by_id(media["id"])
# TODO: clarify: if this EP allows access to non-owned objects, the following may be false:
assert object.data["actor"] == User.ap_id(conn.assigns[:user]) assert object.data["actor"] == User.ap_id(conn.assigns[:user])
end end
end end
describe "Update media description" do describe "Update media description" do
setup do: oauth_access(["write:media"])
setup %{user: actor} do setup %{user: actor} do
file = %Plug.Upload{ file = %Plug.Upload{
content_type: "image/jpg", content_type: "image/jpg",
@ -97,6 +103,8 @@ test "/api/v1/media/:id good request", %{conn: conn, object: object} do
end end
describe "Get media by id" do describe "Get media by id" do
setup do: oauth_access(["read:media"])
setup %{user: actor} do setup %{user: actor} do
file = %Plug.Upload{ file = %Plug.Upload{
content_type: "image/jpg", content_type: "image/jpg",