# Pleroma: A lightweight social networking server # Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/> # SPDX-License-Identifier: AGPL-3.0-only defmodule Pleroma.Plugs.UserIsAdminPlugTest do use Pleroma.Web.ConnCase, async: true alias Pleroma.Plugs.UserIsAdminPlug import Pleroma.Factory describe "unless [:auth, :enforce_oauth_admin_scope_usage]," do clear_config([:auth, :enforce_oauth_admin_scope_usage]) do Pleroma.Config.put([:auth, :enforce_oauth_admin_scope_usage], false) end test "accepts a user that is an admin" do user = insert(:user, is_admin: true) conn = assign(build_conn(), :user, user) ret_conn = UserIsAdminPlug.call(conn, %{}) assert conn == ret_conn end test "denies a user that isn't an admin" do user = insert(:user) conn = build_conn() |> assign(:user, user) |> UserIsAdminPlug.call(%{}) assert conn.status == 403 end test "denies when a user isn't set" do conn = UserIsAdminPlug.call(build_conn(), %{}) assert conn.status == 403 end end describe "with [:auth, :enforce_oauth_admin_scope_usage]," do clear_config([:auth, :enforce_oauth_admin_scope_usage]) do Pleroma.Config.put([:auth, :enforce_oauth_admin_scope_usage], true) end setup do admin_user = insert(:user, is_admin: true) non_admin_user = insert(:user, is_admin: false) blank_user = nil {:ok, %{users: [admin_user, non_admin_user, blank_user]}} end test "if token has any of admin scopes, accepts a user that is an admin", %{conn: conn} do user = insert(:user, is_admin: true) token = insert(:oauth_token, user: user, scopes: ["admin:something"]) conn = conn |> assign(:user, user) |> assign(:token, token) ret_conn = UserIsAdminPlug.call(conn, %{}) assert conn == ret_conn end test "if token has any of admin scopes, denies a user that isn't an admin", %{conn: conn} do user = insert(:user, is_admin: false) token = insert(:oauth_token, user: user, scopes: ["admin:something"]) conn = conn |> assign(:user, user) |> assign(:token, token) |> UserIsAdminPlug.call(%{}) assert conn.status == 403 end test "if token has any of admin scopes, denies when a user isn't set", %{conn: conn} do token = insert(:oauth_token, scopes: ["admin:something"]) conn = conn |> assign(:user, nil) |> assign(:token, token) |> UserIsAdminPlug.call(%{}) assert conn.status == 403 end test "if token lacks admin scopes, denies users regardless of is_admin flag", %{users: users} do for user <- users do token = insert(:oauth_token, user: user) conn = build_conn() |> assign(:user, user) |> assign(:token, token) |> UserIsAdminPlug.call(%{}) assert conn.status == 403 end end test "if token is missing, denies users regardless of is_admin flag", %{users: users} do for user <- users do conn = build_conn() |> assign(:user, user) |> assign(:token, nil) |> UserIsAdminPlug.call(%{}) assert conn.status == 403 end end end end