Add more granular OAuth scopes (#7929)
* Add more granular OAuth scopes * Add human-readable descriptions of the new scopes * Ensure new scopes look good on the app UI * Add tests * Group scopes in screen and color-code dangerous ones * Fix wrong extra scope
This commit is contained in:
		| @@ -78,4 +78,8 @@ class Api::BaseController < ApplicationController | ||||
|   def render_empty | ||||
|     render json: {}, status: 200 | ||||
|   end | ||||
|  | ||||
|   def authorize_if_got_token!(*scopes) | ||||
|     doorkeeper_authorize!(*scopes) if doorkeeper_token | ||||
|   end | ||||
| end | ||||
|   | ||||
| @@ -1,8 +1,8 @@ | ||||
| # frozen_string_literal: true | ||||
|  | ||||
| class Api::V1::Accounts::CredentialsController < Api::BaseController | ||||
|   before_action -> { doorkeeper_authorize! :read }, except: [:update] | ||||
|   before_action -> { doorkeeper_authorize! :write }, only: [:update] | ||||
|   before_action -> { doorkeeper_authorize! :read, :'read:accounts' }, except: [:update] | ||||
|   before_action -> { doorkeeper_authorize! :write, :'write:accounts' }, only: [:update] | ||||
|   before_action :require_user! | ||||
|  | ||||
|   def show | ||||
|   | ||||
| @@ -1,7 +1,7 @@ | ||||
| # frozen_string_literal: true | ||||
|  | ||||
| class Api::V1::Accounts::FollowerAccountsController < Api::BaseController | ||||
|   before_action -> { doorkeeper_authorize! :read } | ||||
|   before_action -> { doorkeeper_authorize! :read, :'read:accounts' } | ||||
|   before_action :set_account | ||||
|   after_action :insert_pagination_headers | ||||
|  | ||||
|   | ||||
| @@ -1,7 +1,7 @@ | ||||
| # frozen_string_literal: true | ||||
|  | ||||
| class Api::V1::Accounts::FollowingAccountsController < Api::BaseController | ||||
|   before_action -> { doorkeeper_authorize! :read } | ||||
|   before_action -> { doorkeeper_authorize! :read, :'read:accounts' } | ||||
|   before_action :set_account | ||||
|   after_action :insert_pagination_headers | ||||
|  | ||||
|   | ||||
| @@ -1,7 +1,7 @@ | ||||
| # frozen_string_literal: true | ||||
|  | ||||
| class Api::V1::Accounts::ListsController < Api::BaseController | ||||
|   before_action -> { doorkeeper_authorize! :read } | ||||
|   before_action -> { doorkeeper_authorize! :read, :'read:lists' } | ||||
|   before_action :require_user! | ||||
|   before_action :set_account | ||||
|  | ||||
|   | ||||
| @@ -1,7 +1,7 @@ | ||||
| # frozen_string_literal: true | ||||
|  | ||||
| class Api::V1::Accounts::RelationshipsController < Api::BaseController | ||||
|   before_action -> { doorkeeper_authorize! :read } | ||||
|   before_action -> { doorkeeper_authorize! :read, :'read:follows' } | ||||
|   before_action :require_user! | ||||
|  | ||||
|   respond_to :json | ||||
|   | ||||
| @@ -1,7 +1,7 @@ | ||||
| # frozen_string_literal: true | ||||
|  | ||||
| class Api::V1::Accounts::SearchController < Api::BaseController | ||||
|   before_action -> { doorkeeper_authorize! :read } | ||||
|   before_action -> { doorkeeper_authorize! :read, :'read:accounts' } | ||||
|   before_action :require_user! | ||||
|  | ||||
|   respond_to :json | ||||
|   | ||||
| @@ -1,7 +1,7 @@ | ||||
| # frozen_string_literal: true | ||||
|  | ||||
| class Api::V1::Accounts::StatusesController < Api::BaseController | ||||
|   before_action -> { doorkeeper_authorize! :read } | ||||
|   before_action -> { doorkeeper_authorize! :read, :'read:statuses' } | ||||
|   before_action :set_account | ||||
|   after_action :insert_pagination_headers | ||||
|  | ||||
|   | ||||
| @@ -1,8 +1,11 @@ | ||||
| # frozen_string_literal: true | ||||
|  | ||||
| class Api::V1::AccountsController < Api::BaseController | ||||
|   before_action -> { doorkeeper_authorize! :read }, except: [:follow, :unfollow, :block, :unblock, :mute, :unmute] | ||||
|   before_action -> { doorkeeper_authorize! :follow }, only: [:follow, :unfollow, :block, :unblock, :mute, :unmute] | ||||
|   before_action -> { authorize_if_got_token! :read, :'read:accounts' }, except: [:follow, :unfollow, :block, :unblock, :mute, :unmute] | ||||
|   before_action -> { doorkeeper_authorize! :follow, :'write:follows' }, only: [:follow, :unfollow] | ||||
|   before_action -> { doorkeeper_authorize! :follow, :'write:mutes' }, only: [:mute, :unmute] | ||||
|   before_action -> { doorkeeper_authorize! :follow, :'write:blocks' }, only: [:block, :unblock] | ||||
|  | ||||
|   before_action :require_user!, except: [:show] | ||||
|   before_action :set_account | ||||
|   before_action :check_account_suspension, only: [:show] | ||||
|   | ||||
| @@ -1,7 +1,7 @@ | ||||
| # frozen_string_literal: true | ||||
|  | ||||
| class Api::V1::BlocksController < Api::BaseController | ||||
|   before_action -> { doorkeeper_authorize! :follow } | ||||
|   before_action -> { doorkeeper_authorize! :follow, :'read:blocks' } | ||||
|   before_action :require_user! | ||||
|   after_action :insert_pagination_headers | ||||
|  | ||||
|   | ||||
| @@ -3,7 +3,8 @@ | ||||
| class Api::V1::DomainBlocksController < Api::BaseController | ||||
|   BLOCK_LIMIT = 100 | ||||
|  | ||||
|   before_action -> { doorkeeper_authorize! :follow } | ||||
|   before_action -> { doorkeeper_authorize! :follow, :'read:blocks' }, only: :show | ||||
|   before_action -> { doorkeeper_authorize! :follow, :'write:blocks' }, except: :show | ||||
|   before_action :require_user! | ||||
|   after_action :insert_pagination_headers, only: :show | ||||
|  | ||||
|   | ||||
| @@ -1,7 +1,7 @@ | ||||
| # frozen_string_literal: true | ||||
|  | ||||
| class Api::V1::FavouritesController < Api::BaseController | ||||
|   before_action -> { doorkeeper_authorize! :read } | ||||
|   before_action -> { doorkeeper_authorize! :read, :'read:favourites' } | ||||
|   before_action :require_user! | ||||
|   after_action :insert_pagination_headers | ||||
|  | ||||
|   | ||||
| @@ -1,8 +1,8 @@ | ||||
| # frozen_string_literal: true | ||||
|  | ||||
| class Api::V1::FiltersController < Api::BaseController | ||||
|   before_action -> { doorkeeper_authorize! :read }, only: [:index, :show] | ||||
|   before_action -> { doorkeeper_authorize! :write }, except: [:index, :show] | ||||
|   before_action -> { doorkeeper_authorize! :read, :'read:filters' }, only: [:index, :show] | ||||
|   before_action -> { doorkeeper_authorize! :write, :'write:filters' }, except: [:index, :show] | ||||
|   before_action :require_user! | ||||
|   before_action :set_filters, only: :index | ||||
|   before_action :set_filter, only: [:show, :update, :destroy] | ||||
|   | ||||
| @@ -1,7 +1,8 @@ | ||||
| # frozen_string_literal: true | ||||
|  | ||||
| class Api::V1::FollowRequestsController < Api::BaseController | ||||
|   before_action -> { doorkeeper_authorize! :follow } | ||||
|   before_action -> { doorkeeper_authorize! :follow, :'read:follows' }, only: :index | ||||
|   before_action -> { doorkeeper_authorize! :follow, :'write:follows' }, except: :index | ||||
|   before_action :require_user! | ||||
|   after_action :insert_pagination_headers, only: :index | ||||
|  | ||||
|   | ||||
| @@ -1,7 +1,7 @@ | ||||
| # frozen_string_literal: true | ||||
|  | ||||
| class Api::V1::FollowsController < Api::BaseController | ||||
|   before_action -> { doorkeeper_authorize! :follow } | ||||
|   before_action -> { doorkeeper_authorize! :follow, :'write:follows' } | ||||
|   before_action :require_user! | ||||
|  | ||||
|   respond_to :json | ||||
|   | ||||
| @@ -1,8 +1,8 @@ | ||||
| # frozen_string_literal: true | ||||
|  | ||||
| class Api::V1::Lists::AccountsController < Api::BaseController | ||||
|   before_action -> { doorkeeper_authorize! :read },    only: [:show] | ||||
|   before_action -> { doorkeeper_authorize! :write }, except: [:show] | ||||
|   before_action -> { doorkeeper_authorize! :read, :'read:lists' },    only:  [:show] | ||||
|   before_action -> { doorkeeper_authorize! :write, :'write:lists' }, except: [:show] | ||||
|  | ||||
|   before_action :require_user! | ||||
|   before_action :set_list | ||||
|   | ||||
| @@ -1,8 +1,8 @@ | ||||
| # frozen_string_literal: true | ||||
|  | ||||
| class Api::V1::ListsController < Api::BaseController | ||||
|   before_action -> { doorkeeper_authorize! :read },    only: [:index, :show] | ||||
|   before_action -> { doorkeeper_authorize! :write }, except: [:index, :show] | ||||
|   before_action -> { doorkeeper_authorize! :read, :'read:lists' },    only:  [:index, :show] | ||||
|   before_action -> { doorkeeper_authorize! :write, :'write:lists' }, except: [:index, :show] | ||||
|  | ||||
|   before_action :require_user! | ||||
|   before_action :set_list, except: [:index, :create] | ||||
|   | ||||
| @@ -1,7 +1,7 @@ | ||||
| # frozen_string_literal: true | ||||
|  | ||||
| class Api::V1::MediaController < Api::BaseController | ||||
|   before_action -> { doorkeeper_authorize! :write } | ||||
|   before_action -> { doorkeeper_authorize! :write, :'write:media' } | ||||
|   before_action :require_user! | ||||
|  | ||||
|   include ObfuscateFilename | ||||
|   | ||||
| @@ -1,7 +1,7 @@ | ||||
| # frozen_string_literal: true | ||||
|  | ||||
| class Api::V1::MutesController < Api::BaseController | ||||
|   before_action -> { doorkeeper_authorize! :follow } | ||||
|   before_action -> { doorkeeper_authorize! :follow, :'read:mutes' } | ||||
|   before_action :require_user! | ||||
|   after_action :insert_pagination_headers | ||||
|  | ||||
|   | ||||
| @@ -1,7 +1,8 @@ | ||||
| # frozen_string_literal: true | ||||
|  | ||||
| class Api::V1::NotificationsController < Api::BaseController | ||||
|   before_action -> { doorkeeper_authorize! :read } | ||||
|   before_action -> { doorkeeper_authorize! :read, :'read:notifications' }, except: [:clear, :dismiss] | ||||
|   before_action -> { doorkeeper_authorize! :write, :'write:notifications' }, only: [:clear, :dismiss] | ||||
|   before_action :require_user! | ||||
|   after_action :insert_pagination_headers, only: :index | ||||
|  | ||||
|   | ||||
| @@ -1,8 +1,8 @@ | ||||
| # frozen_string_literal: true | ||||
|  | ||||
| class Api::V1::ReportsController < Api::BaseController | ||||
|   before_action -> { doorkeeper_authorize! :read }, except: [:create] | ||||
|   before_action -> { doorkeeper_authorize! :write }, only:  [:create] | ||||
|   before_action -> { doorkeeper_authorize! :read, :'read:reports' }, except: [:create] | ||||
|   before_action -> { doorkeeper_authorize! :write, :'write:reports' }, only: [:create] | ||||
|   before_action :require_user! | ||||
|  | ||||
|   respond_to :json | ||||
|   | ||||
| @@ -5,7 +5,7 @@ class Api::V1::SearchController < Api::BaseController | ||||
|  | ||||
|   RESULTS_LIMIT = 5 | ||||
|  | ||||
|   before_action -> { doorkeeper_authorize! :read } | ||||
|   before_action -> { doorkeeper_authorize! :read, :'read:search' } | ||||
|   before_action :require_user! | ||||
|  | ||||
|   respond_to :json | ||||
|   | ||||
| @@ -3,7 +3,7 @@ | ||||
| class Api::V1::Statuses::FavouritedByAccountsController < Api::BaseController | ||||
|   include Authorization | ||||
|  | ||||
|   before_action :authorize_if_got_token | ||||
|   before_action -> { authorize_if_got_token! :read, :'read:accounts' } | ||||
|   before_action :set_status | ||||
|   after_action :insert_pagination_headers | ||||
|  | ||||
| @@ -71,11 +71,6 @@ class Api::V1::Statuses::FavouritedByAccountsController < Api::BaseController | ||||
|     raise ActiveRecord::RecordNotFound | ||||
|   end | ||||
|  | ||||
|   def authorize_if_got_token | ||||
|     request_token = Doorkeeper::OAuth::Token.from_request(request, *Doorkeeper.configuration.access_token_methods) | ||||
|     doorkeeper_authorize! :read if request_token | ||||
|   end | ||||
|  | ||||
|   def pagination_params(core_params) | ||||
|     params.slice(:limit).permit(:limit).merge(core_params) | ||||
|   end | ||||
|   | ||||
| @@ -3,7 +3,7 @@ | ||||
| class Api::V1::Statuses::FavouritesController < Api::BaseController | ||||
|   include Authorization | ||||
|  | ||||
|   before_action -> { doorkeeper_authorize! :write } | ||||
|   before_action -> { doorkeeper_authorize! :write, :'write:favourites' } | ||||
|   before_action :require_user! | ||||
|  | ||||
|   respond_to :json | ||||
|   | ||||
| @@ -3,7 +3,7 @@ | ||||
| class Api::V1::Statuses::MutesController < Api::BaseController | ||||
|   include Authorization | ||||
|  | ||||
|   before_action -> { doorkeeper_authorize! :write } | ||||
|   before_action -> { doorkeeper_authorize! :write, :'write:mutes' } | ||||
|   before_action :require_user! | ||||
|   before_action :set_status | ||||
|   before_action :set_conversation | ||||
|   | ||||
| @@ -3,7 +3,7 @@ | ||||
| class Api::V1::Statuses::PinsController < Api::BaseController | ||||
|   include Authorization | ||||
|  | ||||
|   before_action -> { doorkeeper_authorize! :write } | ||||
|   before_action -> { doorkeeper_authorize! :write, :'write:accounts' } | ||||
|   before_action :require_user! | ||||
|   before_action :set_status | ||||
|  | ||||
|   | ||||
| @@ -3,7 +3,7 @@ | ||||
| class Api::V1::Statuses::RebloggedByAccountsController < Api::BaseController | ||||
|   include Authorization | ||||
|  | ||||
|   before_action :authorize_if_got_token | ||||
|   before_action -> { authorize_if_got_token! :read, :'read:accounts' } | ||||
|   before_action :set_status | ||||
|   after_action :insert_pagination_headers | ||||
|  | ||||
| @@ -68,11 +68,6 @@ class Api::V1::Statuses::RebloggedByAccountsController < Api::BaseController | ||||
|     raise ActiveRecord::RecordNotFound | ||||
|   end | ||||
|  | ||||
|   def authorize_if_got_token | ||||
|     request_token = Doorkeeper::OAuth::Token.from_request(request, *Doorkeeper.configuration.access_token_methods) | ||||
|     doorkeeper_authorize! :read if request_token | ||||
|   end | ||||
|  | ||||
|   def pagination_params(core_params) | ||||
|     params.slice(:limit).permit(:limit).merge(core_params) | ||||
|   end | ||||
|   | ||||
| @@ -3,7 +3,7 @@ | ||||
| class Api::V1::Statuses::ReblogsController < Api::BaseController | ||||
|   include Authorization | ||||
|  | ||||
|   before_action -> { doorkeeper_authorize! :write } | ||||
|   before_action -> { doorkeeper_authorize! :write, :'write:statuses' } | ||||
|   before_action :require_user! | ||||
|  | ||||
|   respond_to :json | ||||
|   | ||||
| @@ -3,8 +3,8 @@ | ||||
| class Api::V1::StatusesController < Api::BaseController | ||||
|   include Authorization | ||||
|  | ||||
|   before_action :authorize_if_got_token, except:            [:create, :destroy] | ||||
|   before_action -> { doorkeeper_authorize! :write }, only:  [:create, :destroy] | ||||
|   before_action -> { authorize_if_got_token! :read, :'read:statuses' }, except: [:create, :destroy] | ||||
|   before_action -> { doorkeeper_authorize! :write, :'write:statuses' }, only:   [:create, :destroy] | ||||
|   before_action :require_user!, except:  [:show, :context, :card] | ||||
|   before_action :set_status, only:       [:show, :context, :card] | ||||
|  | ||||
| @@ -84,9 +84,4 @@ class Api::V1::StatusesController < Api::BaseController | ||||
|   def pagination_params(core_params) | ||||
|     params.slice(:limit).permit(:limit).merge(core_params) | ||||
|   end | ||||
|  | ||||
|   def authorize_if_got_token | ||||
|     request_token = Doorkeeper::OAuth::Token.from_request(request, *Doorkeeper.configuration.access_token_methods) | ||||
|     doorkeeper_authorize! :read if request_token | ||||
|   end | ||||
| end | ||||
|   | ||||
| @@ -1,7 +1,7 @@ | ||||
| # frozen_string_literal: true | ||||
|  | ||||
| class Api::V1::Timelines::DirectController < Api::BaseController | ||||
|   before_action -> { doorkeeper_authorize! :read }, only: [:show] | ||||
|   before_action -> { doorkeeper_authorize! :read, :'read:statuses' }, only: [:show] | ||||
|   before_action :require_user!, only: [:show] | ||||
|   after_action :insert_pagination_headers, unless: -> { @statuses.empty? } | ||||
|  | ||||
|   | ||||
| @@ -1,7 +1,7 @@ | ||||
| # frozen_string_literal: true | ||||
|  | ||||
| class Api::V1::Timelines::HomeController < Api::BaseController | ||||
|   before_action -> { doorkeeper_authorize! :read }, only: [:show] | ||||
|   before_action -> { doorkeeper_authorize! :read, :'read:statuses' }, only: [:show] | ||||
|   before_action :require_user!, only: [:show] | ||||
|   after_action :insert_pagination_headers, unless: -> { @statuses.empty? } | ||||
|  | ||||
|   | ||||
| @@ -1,7 +1,7 @@ | ||||
| # frozen_string_literal: true | ||||
|  | ||||
| class Api::V1::Timelines::ListController < Api::BaseController | ||||
|   before_action -> { doorkeeper_authorize! :read } | ||||
|   before_action -> { doorkeeper_authorize! :read, :'read:lists' } | ||||
|   before_action :require_user! | ||||
|   before_action :set_list | ||||
|   before_action :set_statuses | ||||
|   | ||||
| @@ -1,6 +1,12 @@ | ||||
| # frozen_string_literal: true | ||||
|  | ||||
| module ApplicationHelper | ||||
|   DANGEROUS_SCOPES = %w( | ||||
|     read | ||||
|     write | ||||
|     follow | ||||
|   ).freeze | ||||
|  | ||||
|   def active_nav_class(path) | ||||
|     current_page?(path) ? 'active' : '' | ||||
|   end | ||||
| @@ -43,6 +49,10 @@ module ApplicationHelper | ||||
|     Rails.env.production? ? site_title : "#{site_title} (Dev)" | ||||
|   end | ||||
|  | ||||
|   def class_for_scope(scope) | ||||
|     'scope-danger' if DANGEROUS_SCOPES.include?(scope.to_s) | ||||
|   end | ||||
|  | ||||
|   def can?(action, record) | ||||
|     return false if record.nil? | ||||
|     policy(record).public_send("#{action}?") | ||||
|   | ||||
| @@ -612,3 +612,7 @@ code { | ||||
|     display: block; | ||||
|   } | ||||
| } | ||||
|  | ||||
| .scope-danger { | ||||
|   color: $warning-red; | ||||
| } | ||||
|   | ||||
| @@ -8,14 +8,9 @@ | ||||
|   %p.hint= t('doorkeeper.applications.help.native_redirect_uri', native_redirect_uri: Doorkeeper.configuration.native_redirect_uri) | ||||
|  | ||||
| .field-group | ||||
|   = f.input :scopes, | ||||
|     label: t('activerecord.attributes.doorkeeper/application.scopes'), | ||||
|     collection: Doorkeeper.configuration.scopes, | ||||
|     wrapper: :with_label, | ||||
|     include_blank: false, | ||||
|     label_method: lambda { |scope| safe_join([scope, content_tag(:span, t("doorkeeper.scopes.#{scope}"), class: 'hint')]) }, | ||||
|     selected: f.object.scopes.all, | ||||
|     required: false, | ||||
|     as: :check_boxes, | ||||
|     collection_wrapper_tag: 'ul', | ||||
|     item_wrapper_tag: 'li' | ||||
|   .input.with_block_label | ||||
|     %label= t('activerecord.attributes.doorkeeper/application.scopes') | ||||
|     %span.hint= t('simple_form.hints.defaults.scopes') | ||||
|  | ||||
|   - Doorkeeper.configuration.scopes.group_by { |s| s.split(':').first }.each do |k, v| | ||||
|     = f.input :scopes, label: false, hint: false, collection: v.sort, wrapper: :with_block_label, include_blank: false, label_method: lambda { |scope| safe_join([content_tag(:samp, scope, class: class_for_scope(scope)), content_tag(:span, t("doorkeeper.scopes.#{scope}"), class: 'hint')]) }, selected: f.object.scopes.all, required: false, as: :check_boxes, collection_wrapper_tag: 'ul', item_wrapper_tag: 'li' | ||||
|   | ||||
| @@ -55,7 +55,32 @@ Doorkeeper.configure do | ||||
|   # For more information go to | ||||
|   # https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-Scopes | ||||
|   default_scopes  :read | ||||
|   optional_scopes :write, :follow, :push | ||||
|   optional_scopes :write, | ||||
|                   :'write:accounts', | ||||
|                   :'write:blocks', | ||||
|                   :'write:favourites', | ||||
|                   :'write:filters', | ||||
|                   :'write:follows', | ||||
|                   :'write:lists', | ||||
|                   :'write:media', | ||||
|                   :'write:mutes', | ||||
|                   :'write:notifications', | ||||
|                   :'write:reports', | ||||
|                   :'write:statuses', | ||||
|                   :read, | ||||
|                   :'read:accounts', | ||||
|                   :'read:blocks', | ||||
|                   :'read:favourites', | ||||
|                   :'read:filters', | ||||
|                   :'read:follows', | ||||
|                   :'read:lists', | ||||
|                   :'read:mutes', | ||||
|                   :'read:notifications', | ||||
|                   :'read:reports', | ||||
|                   :'read:search', | ||||
|                   :'read:statuses', | ||||
|                   :follow, | ||||
|                   :push | ||||
|  | ||||
|   # Change the way client credentials are retrieved from the request object. | ||||
|   # By default it retrieves first from the `HTTP_AUTHORIZATION` header, then | ||||
|   | ||||
| @@ -114,7 +114,29 @@ en: | ||||
|       application: | ||||
|         title: OAuth authorization required | ||||
|     scopes: | ||||
|       follow: follow, block, unblock and unfollow accounts | ||||
|       push: receive push notifications for your account | ||||
|       read: read your account's data | ||||
|       write: post on your behalf | ||||
|       follow: modify account relationships | ||||
|       push: receive your push notifications | ||||
|       read: read all your account's data | ||||
|       read:accounts: see accounts information | ||||
|       read:blocks: see your blocks | ||||
|       read:favourites: see your favourites | ||||
|       read:filters: see your filters | ||||
|       read:follows: see your follows | ||||
|       read:lists: see your lists | ||||
|       read:mutes: see your mutes | ||||
|       read:notifications: see your notifications | ||||
|       read:reports: see your reports | ||||
|       read:search: search on your behalf | ||||
|       read:statuses: see all statuses | ||||
|       write: modify all your account's data | ||||
|       write:accounts: modify your profile | ||||
|       write:blocks: block accounts and domains | ||||
|       write:favourites: favourite statuses | ||||
|       write:filters: create filters | ||||
|       write:follows: follow people | ||||
|       write:lists: create lists | ||||
|       write:media: upload media files | ||||
|       write:mutes: mute people and conversations | ||||
|       write:notifications: clear your notifications | ||||
|       write:reports: report other people | ||||
|       write:statuses: publish statuses | ||||
|   | ||||
| @@ -20,6 +20,7 @@ en: | ||||
|           one: <span class="note-counter">1</span> character left | ||||
|           other: <span class="note-counter">%{count}</span> characters left | ||||
|         phrase: Will be matched regardless of casing in text or content warning of a toot | ||||
|         scopes: Which APIs the application will be allowed to access. If you select a top-level scope, you don't need to select individual ones. | ||||
|         setting_default_language: The language of your toots can be detected automatically, but it's not always accurate | ||||
|         setting_hide_network: Who you follow and who follows you will not be shown on your profile | ||||
|         setting_noindex: Affects your public profile and status pages | ||||
|   | ||||
| @@ -4,7 +4,7 @@ describe Api::V1::Accounts::CredentialsController do | ||||
|   render_views | ||||
|  | ||||
|   let(:user)  { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read write') } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: scopes) } | ||||
|  | ||||
|   context 'with an oauth token' do | ||||
|     before do | ||||
| @@ -12,6 +12,8 @@ describe Api::V1::Accounts::CredentialsController do | ||||
|     end | ||||
|  | ||||
|     describe 'GET #show' do | ||||
|       let(:scopes) { 'read:accounts' } | ||||
|  | ||||
|       it 'returns http success' do | ||||
|         get :show | ||||
|         expect(response).to have_http_status(200) | ||||
| @@ -19,6 +21,8 @@ describe Api::V1::Accounts::CredentialsController do | ||||
|     end | ||||
|  | ||||
|     describe 'PATCH #update' do | ||||
|       let(:scopes) { 'write:accounts' } | ||||
|  | ||||
|       describe 'with valid data' do | ||||
|         before do | ||||
|           allow(ActivityPub::UpdateDistributionWorker).to receive(:perform_async) | ||||
|   | ||||
| @@ -4,7 +4,7 @@ describe Api::V1::Accounts::FollowerAccountsController do | ||||
|   render_views | ||||
|  | ||||
|   let(:user)  { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read') } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read:accounts') } | ||||
|  | ||||
|   before do | ||||
|     Fabricate(:follow, target_account: user.account) | ||||
|   | ||||
| @@ -4,7 +4,7 @@ describe Api::V1::Accounts::FollowingAccountsController do | ||||
|   render_views | ||||
|  | ||||
|   let(:user)  { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read') } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read:accounts') } | ||||
|  | ||||
|   before do | ||||
|     Fabricate(:follow, account: user.account) | ||||
|   | ||||
| @@ -4,7 +4,7 @@ describe Api::V1::Accounts::ListsController do | ||||
|   render_views | ||||
|  | ||||
|   let(:user)    { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } | ||||
|   let(:token)   { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read') } | ||||
|   let(:token)   { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read:lists') } | ||||
|   let(:account) { Fabricate(:account) } | ||||
|   let(:list)    { Fabricate(:list, account: user.account) } | ||||
|  | ||||
|   | ||||
| @@ -4,7 +4,7 @@ describe Api::V1::Accounts::RelationshipsController do | ||||
|   render_views | ||||
|  | ||||
|   let(:user)  { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read') } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read:follows') } | ||||
|  | ||||
|   before do | ||||
|     allow(controller).to receive(:doorkeeper_token) { token } | ||||
|   | ||||
| @@ -4,7 +4,7 @@ RSpec.describe Api::V1::Accounts::SearchController, type: :controller do | ||||
|   render_views | ||||
|  | ||||
|   let(:user)  { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read') } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read:accounts') } | ||||
|  | ||||
|   before do | ||||
|     allow(controller).to receive(:doorkeeper_token) { token } | ||||
|   | ||||
| @@ -4,7 +4,7 @@ describe Api::V1::Accounts::StatusesController do | ||||
|   render_views | ||||
|  | ||||
|   let(:user)  { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read') } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read:statuses') } | ||||
|  | ||||
|   before do | ||||
|     allow(controller).to receive(:doorkeeper_token) { token } | ||||
|   | ||||
| @@ -3,21 +3,38 @@ require 'rails_helper' | ||||
| RSpec.describe Api::V1::AccountsController, type: :controller do | ||||
|   render_views | ||||
|  | ||||
|   let(:user)  { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'follow read') } | ||||
|   let(:user)   { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } | ||||
|   let(:scopes) { '' } | ||||
|   let(:token)  { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: scopes) } | ||||
|  | ||||
|   before do | ||||
|     allow(controller).to receive(:doorkeeper_token) { token } | ||||
|   end | ||||
|  | ||||
|   describe 'GET #show' do | ||||
|     it 'returns http success' do | ||||
|       get :show, params: { id: user.account.id } | ||||
|       expect(response).to have_http_status(200) | ||||
|   shared_examples 'forbidden for wrong scope' do |wrong_scope| | ||||
|     let(:scopes) { wrong_scope } | ||||
|  | ||||
|     it 'returns http forbidden' do | ||||
|       expect(response).to have_http_status(403) | ||||
|     end | ||||
|   end | ||||
|  | ||||
|   describe 'GET #show' do | ||||
|     let(:scopes) { 'read:accounts' } | ||||
|  | ||||
|     before do | ||||
|       get :show, params: { id: user.account.id } | ||||
|     end | ||||
|  | ||||
|     it 'returns http success' do | ||||
|       expect(response).to have_http_status(200) | ||||
|     end | ||||
|  | ||||
|     it_behaves_like 'forbidden for wrong scope', 'write:statuses' | ||||
|   end | ||||
|  | ||||
|   describe 'POST #follow' do | ||||
|     let(:scopes) { 'write:follows' } | ||||
|     let(:other_account) { Fabricate(:user, email: 'bob@example.com', account: Fabricate(:account, username: 'bob', locked: locked)).account } | ||||
|  | ||||
|     before do | ||||
| @@ -41,6 +58,8 @@ RSpec.describe Api::V1::AccountsController, type: :controller do | ||||
|       it 'creates a following relation between user and target user' do | ||||
|         expect(user.account.following?(other_account)).to be true | ||||
|       end | ||||
|  | ||||
|       it_behaves_like 'forbidden for wrong scope', 'read:accounts' | ||||
|     end | ||||
|  | ||||
|     context 'with locked account' do | ||||
| @@ -60,10 +79,13 @@ RSpec.describe Api::V1::AccountsController, type: :controller do | ||||
|       it 'creates a follow request relation between user and target user' do | ||||
|         expect(user.account.requested?(other_account)).to be true | ||||
|       end | ||||
|  | ||||
|       it_behaves_like 'forbidden for wrong scope', 'read:accounts' | ||||
|     end | ||||
|   end | ||||
|  | ||||
|   describe 'POST #unfollow' do | ||||
|     let(:scopes) { 'write:follows' } | ||||
|     let(:other_account) { Fabricate(:user, email: 'bob@example.com', account: Fabricate(:account, username: 'bob')).account } | ||||
|  | ||||
|     before do | ||||
| @@ -78,9 +100,12 @@ RSpec.describe Api::V1::AccountsController, type: :controller do | ||||
|     it 'removes the following relation between user and target user' do | ||||
|       expect(user.account.following?(other_account)).to be false | ||||
|     end | ||||
|  | ||||
|     it_behaves_like 'forbidden for wrong scope', 'read:accounts' | ||||
|   end | ||||
|  | ||||
|   describe 'POST #block' do | ||||
|     let(:scopes) { 'write:blocks' } | ||||
|     let(:other_account) { Fabricate(:user, email: 'bob@example.com', account: Fabricate(:account, username: 'bob')).account } | ||||
|  | ||||
|     before do | ||||
| @@ -99,9 +124,12 @@ RSpec.describe Api::V1::AccountsController, type: :controller do | ||||
|     it 'creates a blocking relation' do | ||||
|       expect(user.account.blocking?(other_account)).to be true | ||||
|     end | ||||
|  | ||||
|     it_behaves_like 'forbidden for wrong scope', 'read:accounts' | ||||
|   end | ||||
|  | ||||
|   describe 'POST #unblock' do | ||||
|     let(:scopes) { 'write:blocks' } | ||||
|     let(:other_account) { Fabricate(:user, email: 'bob@example.com', account: Fabricate(:account, username: 'bob')).account } | ||||
|  | ||||
|     before do | ||||
| @@ -116,9 +144,12 @@ RSpec.describe Api::V1::AccountsController, type: :controller do | ||||
|     it 'removes the blocking relation between user and target user' do | ||||
|       expect(user.account.blocking?(other_account)).to be false | ||||
|     end | ||||
|  | ||||
|     it_behaves_like 'forbidden for wrong scope', 'read:accounts' | ||||
|   end | ||||
|  | ||||
|   describe 'POST #mute' do | ||||
|     let(:scopes) { 'write:mutes' } | ||||
|     let(:other_account) { Fabricate(:user, email: 'bob@example.com', account: Fabricate(:account, username: 'bob')).account } | ||||
|  | ||||
|     before do | ||||
| @@ -141,9 +172,12 @@ RSpec.describe Api::V1::AccountsController, type: :controller do | ||||
|     it 'mutes notifications' do | ||||
|       expect(user.account.muting_notifications?(other_account)).to be true | ||||
|     end | ||||
|  | ||||
|     it_behaves_like 'forbidden for wrong scope', 'read:accounts' | ||||
|   end | ||||
|  | ||||
|   describe 'POST #mute with notifications set to false' do | ||||
|     let(:scopes) { 'write:mutes' } | ||||
|     let(:other_account) { Fabricate(:user, email: 'bob@example.com', account: Fabricate(:account, username: 'bob')).account } | ||||
|  | ||||
|     before do | ||||
| @@ -166,9 +200,12 @@ RSpec.describe Api::V1::AccountsController, type: :controller do | ||||
|     it 'does not mute notifications' do | ||||
|       expect(user.account.muting_notifications?(other_account)).to be false | ||||
|     end | ||||
|  | ||||
|     it_behaves_like 'forbidden for wrong scope', 'read:accounts' | ||||
|   end | ||||
|  | ||||
|   describe 'POST #unmute' do | ||||
|     let(:scopes) { 'write:mutes' } | ||||
|     let(:other_account) { Fabricate(:user, email: 'bob@example.com', account: Fabricate(:account, username: 'bob')).account } | ||||
|  | ||||
|     before do | ||||
| @@ -183,5 +220,7 @@ RSpec.describe Api::V1::AccountsController, type: :controller do | ||||
|     it 'removes the muting relation between user and target user' do | ||||
|       expect(user.account.muting?(other_account)).to be false | ||||
|     end | ||||
|  | ||||
|     it_behaves_like 'forbidden for wrong scope', 'read:accounts' | ||||
|   end | ||||
| end | ||||
|   | ||||
| @@ -3,8 +3,9 @@ require 'rails_helper' | ||||
| RSpec.describe Api::V1::BlocksController, type: :controller do | ||||
|   render_views | ||||
|  | ||||
|   let(:user)  { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'follow') } | ||||
|   let(:user)   { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } | ||||
|   let(:scopes) { 'read:blocks' } | ||||
|   let(:token)  { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: scopes) } | ||||
|  | ||||
|   before { allow(controller).to receive(:doorkeeper_token) { token } } | ||||
|  | ||||
| @@ -49,5 +50,14 @@ RSpec.describe Api::V1::BlocksController, type: :controller do | ||||
|       get :index | ||||
|       expect(response).to have_http_status(200) | ||||
|     end | ||||
|  | ||||
|     context 'with wrong scopes' do | ||||
|       let(:scopes) { 'write:blocks' } | ||||
|  | ||||
|       it 'returns http forbidden' do | ||||
|         get :index | ||||
|         expect(response).to have_http_status(403) | ||||
|       end | ||||
|     end | ||||
|   end | ||||
| end | ||||
|   | ||||
| @@ -4,14 +4,24 @@ RSpec.describe Api::V1::DomainBlocksController, type: :controller do | ||||
|   render_views | ||||
|  | ||||
|   let(:user)  { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'follow') } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: scopes) } | ||||
|  | ||||
|   before do | ||||
|     user.account.block_domain!('example.com') | ||||
|     allow(controller).to receive(:doorkeeper_token) { token } | ||||
|   end | ||||
|  | ||||
|   shared_examples 'forbidden for wrong scope' do |wrong_scope| | ||||
|     let(:scopes) { wrong_scope } | ||||
|  | ||||
|     it 'returns http forbidden' do | ||||
|       expect(response).to have_http_status(403) | ||||
|     end | ||||
|   end | ||||
|  | ||||
|   describe 'GET #show' do | ||||
|     let(:scopes) { 'read:blocks' } | ||||
|  | ||||
|     before do | ||||
|       get :show, params: { limit: 1 } | ||||
|     end | ||||
| @@ -23,9 +33,13 @@ RSpec.describe Api::V1::DomainBlocksController, type: :controller do | ||||
|     it 'returns blocked domains' do | ||||
|       expect(body_as_json.first).to eq 'example.com' | ||||
|     end | ||||
|  | ||||
|     it_behaves_like 'forbidden for wrong scope', 'write:statuses' | ||||
|   end | ||||
|  | ||||
|   describe 'POST #create' do | ||||
|     let(:scopes) { 'write:blocks' } | ||||
|  | ||||
|     before do | ||||
|       post :create, params: { domain: 'example.org' } | ||||
|     end | ||||
| @@ -37,9 +51,13 @@ RSpec.describe Api::V1::DomainBlocksController, type: :controller do | ||||
|     it 'creates a domain block' do | ||||
|       expect(user.account.domain_blocking?('example.org')).to be true | ||||
|     end | ||||
|  | ||||
|     it_behaves_like 'forbidden for wrong scope', 'write:statuses' | ||||
|   end | ||||
|  | ||||
|   describe 'DELETE #destroy' do | ||||
|     let(:scopes) { 'write:blocks' } | ||||
|  | ||||
|     before do | ||||
|       delete :destroy, params: { domain: 'example.com' } | ||||
|     end | ||||
| @@ -51,5 +69,7 @@ RSpec.describe Api::V1::DomainBlocksController, type: :controller do | ||||
|     it 'deletes a domain block' do | ||||
|       expect(user.account.domain_blocking?('example.com')).to be false | ||||
|     end | ||||
|  | ||||
|     it_behaves_like 'forbidden for wrong scope', 'write:statuses' | ||||
|   end | ||||
| end | ||||
|   | ||||
| @@ -45,7 +45,7 @@ RSpec.describe Api::V1::FavouritesController, type: :controller do | ||||
|       context 'with read scope and valid resource owner' do | ||||
|         before do | ||||
|           allow(controller).to receive(:doorkeeper_token) do | ||||
|             Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read') | ||||
|             Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read:favourites') | ||||
|           end | ||||
|         end | ||||
|  | ||||
|   | ||||
| @@ -4,13 +4,14 @@ RSpec.describe Api::V1::FiltersController, type: :controller do | ||||
|   render_views | ||||
|  | ||||
|   let(:user)  { Fabricate(:user) } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read write') } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: scopes) } | ||||
|  | ||||
|   before do | ||||
|     allow(controller).to receive(:doorkeeper_token) { token } | ||||
|   end | ||||
|  | ||||
|   describe 'GET #index' do | ||||
|     let(:scopes) { 'read:filters' } | ||||
|     let!(:filter) { Fabricate(:custom_filter, account: user.account) } | ||||
|  | ||||
|     it 'returns http success' do | ||||
| @@ -20,6 +21,8 @@ RSpec.describe Api::V1::FiltersController, type: :controller do | ||||
|   end | ||||
|  | ||||
|   describe 'POST #create' do | ||||
|     let(:scopes) { 'write:filters' } | ||||
|  | ||||
|     before do | ||||
|       post :create, params: { phrase: 'magic', context: %w(home), irreversible: true } | ||||
|     end | ||||
| @@ -39,6 +42,7 @@ RSpec.describe Api::V1::FiltersController, type: :controller do | ||||
|   end | ||||
|  | ||||
|   describe 'GET #show' do | ||||
|     let(:scopes) { 'read:filters' } | ||||
|     let(:filter) { Fabricate(:custom_filter, account: user.account) } | ||||
|  | ||||
|     it 'returns http success' do | ||||
| @@ -48,6 +52,7 @@ RSpec.describe Api::V1::FiltersController, type: :controller do | ||||
|   end | ||||
|  | ||||
|   describe 'PUT #update' do | ||||
|     let(:scopes) { 'write:filters' } | ||||
|     let(:filter) { Fabricate(:custom_filter, account: user.account) } | ||||
|  | ||||
|     before do | ||||
| @@ -64,6 +69,7 @@ RSpec.describe Api::V1::FiltersController, type: :controller do | ||||
|   end | ||||
|  | ||||
|   describe 'DELETE #destroy' do | ||||
|     let(:scopes) { 'write:filters' } | ||||
|     let(:filter) { Fabricate(:custom_filter, account: user.account) } | ||||
|  | ||||
|     before do | ||||
|   | ||||
| @@ -4,7 +4,7 @@ RSpec.describe Api::V1::FollowRequestsController, type: :controller do | ||||
|   render_views | ||||
|  | ||||
|   let(:user)     { Fabricate(:user, account: Fabricate(:account, username: 'alice', locked: true)) } | ||||
|   let(:token)    { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'follow') } | ||||
|   let(:token)    { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: scopes) } | ||||
|   let(:follower) { Fabricate(:account, username: 'bob') } | ||||
|  | ||||
|   before do | ||||
| @@ -13,6 +13,8 @@ RSpec.describe Api::V1::FollowRequestsController, type: :controller do | ||||
|   end | ||||
|  | ||||
|   describe 'GET #index' do | ||||
|     let(:scopes) { 'read:follows' } | ||||
|  | ||||
|     before do | ||||
|       get :index, params: { limit: 1 } | ||||
|     end | ||||
| @@ -23,6 +25,8 @@ RSpec.describe Api::V1::FollowRequestsController, type: :controller do | ||||
|   end | ||||
|  | ||||
|   describe 'POST #authorize' do | ||||
|     let(:scopes) { 'write:follows' } | ||||
|  | ||||
|     before do | ||||
|       post :authorize, params: { id: follower.id } | ||||
|     end | ||||
| @@ -37,6 +41,8 @@ RSpec.describe Api::V1::FollowRequestsController, type: :controller do | ||||
|   end | ||||
|  | ||||
|   describe 'POST #reject' do | ||||
|     let(:scopes) { 'write:follows' } | ||||
|  | ||||
|     before do | ||||
|       post :reject, params: { id: follower.id } | ||||
|     end | ||||
|   | ||||
| @@ -4,7 +4,7 @@ RSpec.describe Api::V1::FollowsController, type: :controller do | ||||
|   render_views | ||||
|  | ||||
|   let(:user)  { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'follow') } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'write:follows') } | ||||
|  | ||||
|   before do | ||||
|     allow(controller).to receive(:doorkeeper_token) { token } | ||||
|   | ||||
| @@ -4,7 +4,7 @@ describe Api::V1::Lists::AccountsController do | ||||
|   render_views | ||||
|  | ||||
|   let(:user)  { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read write') } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: scopes) } | ||||
|   let(:list)  { Fabricate(:list, account: user.account) } | ||||
|  | ||||
|   before do | ||||
| @@ -14,6 +14,8 @@ describe Api::V1::Lists::AccountsController do | ||||
|   end | ||||
|  | ||||
|   describe 'GET #index' do | ||||
|     let(:scopes) { 'read:lists' } | ||||
|  | ||||
|     it 'returns http success' do | ||||
|       get :show, params: { list_id: list.id } | ||||
|  | ||||
| @@ -22,6 +24,7 @@ describe Api::V1::Lists::AccountsController do | ||||
|   end | ||||
|  | ||||
|   describe 'POST #create' do | ||||
|     let(:scopes) { 'write:lists' } | ||||
|     let(:bob) { Fabricate(:account, username: 'bob') } | ||||
|  | ||||
|     before do | ||||
| @@ -39,6 +42,8 @@ describe Api::V1::Lists::AccountsController do | ||||
|   end | ||||
|  | ||||
|   describe 'DELETE #destroy' do | ||||
|     let(:scopes) { 'write:lists' } | ||||
|  | ||||
|     before do | ||||
|       delete :destroy, params: { list_id: list.id, account_ids: [list.accounts.first.id] } | ||||
|     end | ||||
|   | ||||
| @@ -4,12 +4,14 @@ RSpec.describe Api::V1::ListsController, type: :controller do | ||||
|   render_views | ||||
|  | ||||
|   let!(:user)  { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } | ||||
|   let!(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read write') } | ||||
|   let!(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: scopes) } | ||||
|   let!(:list)  { Fabricate(:list, account: user.account) } | ||||
|  | ||||
|   before { allow(controller).to receive(:doorkeeper_token) { token } } | ||||
|  | ||||
|   describe 'GET #index' do | ||||
|     let(:scopes) { 'read:lists' } | ||||
|  | ||||
|     it 'returns http success' do | ||||
|       get :index | ||||
|       expect(response).to have_http_status(200) | ||||
| @@ -17,6 +19,8 @@ RSpec.describe Api::V1::ListsController, type: :controller do | ||||
|   end | ||||
|  | ||||
|   describe 'GET #show' do | ||||
|     let(:scopes) { 'read:lists' } | ||||
|  | ||||
|     it 'returns http success' do | ||||
|       get :show, params: { id: list.id } | ||||
|       expect(response).to have_http_status(200) | ||||
| @@ -24,6 +28,8 @@ RSpec.describe Api::V1::ListsController, type: :controller do | ||||
|   end | ||||
|  | ||||
|   describe 'POST #create' do | ||||
|     let(:scopes) { 'write:lists' } | ||||
|  | ||||
|     before do | ||||
|       post :create, params: { title: 'Foo bar' } | ||||
|     end | ||||
| @@ -39,6 +45,8 @@ RSpec.describe Api::V1::ListsController, type: :controller do | ||||
|   end | ||||
|  | ||||
|   describe 'PUT #update' do | ||||
|     let(:scopes) { 'write:lists' } | ||||
|  | ||||
|     before do | ||||
|       put :update, params: { id: list.id, title: 'Updated title' } | ||||
|     end | ||||
| @@ -53,6 +61,8 @@ RSpec.describe Api::V1::ListsController, type: :controller do | ||||
|   end | ||||
|  | ||||
|   describe 'DELETE #destroy' do | ||||
|     let(:scopes) { 'write:lists' } | ||||
|  | ||||
|     before do | ||||
|       delete :destroy, params: { id: list.id } | ||||
|     end | ||||
|   | ||||
| @@ -4,7 +4,7 @@ RSpec.describe Api::V1::MediaController, type: :controller do | ||||
|   render_views | ||||
|  | ||||
|   let(:user)  { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'write') } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'write:media') } | ||||
|  | ||||
|   before do | ||||
|     allow(controller).to receive(:doorkeeper_token) { token } | ||||
|   | ||||
| @@ -4,7 +4,7 @@ RSpec.describe Api::V1::MutesController, type: :controller do | ||||
|   render_views | ||||
|  | ||||
|   let(:user)  { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'follow') } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read:mutes') } | ||||
|  | ||||
|   before do | ||||
|     Fabricate(:mute, account: user.account, hide_notifications: false) | ||||
|   | ||||
| @@ -4,7 +4,7 @@ RSpec.describe Api::V1::NotificationsController, type: :controller do | ||||
|   render_views | ||||
|  | ||||
|   let(:user)  { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read') } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: scopes) } | ||||
|   let(:other) { Fabricate(:user, account: Fabricate(:account, username: 'bob')) } | ||||
|  | ||||
|   before do | ||||
| @@ -12,6 +12,8 @@ RSpec.describe Api::V1::NotificationsController, type: :controller do | ||||
|   end | ||||
|  | ||||
|   describe 'GET #show' do | ||||
|     let(:scopes) { 'read:notifications' } | ||||
|  | ||||
|     it 'returns http success' do | ||||
|       notification = Fabricate(:notification, account: user.account) | ||||
|       get :show, params: { id: notification.id } | ||||
| @@ -21,6 +23,8 @@ RSpec.describe Api::V1::NotificationsController, type: :controller do | ||||
|   end | ||||
|  | ||||
|   describe 'POST #dismiss' do | ||||
|     let(:scopes) { 'write:notifications' } | ||||
|  | ||||
|     it 'destroys the notification' do | ||||
|       notification = Fabricate(:notification, account: user.account) | ||||
|       post :dismiss, params: { id: notification.id } | ||||
| @@ -31,6 +35,8 @@ RSpec.describe Api::V1::NotificationsController, type: :controller do | ||||
|   end | ||||
|  | ||||
|   describe 'POST #clear' do | ||||
|     let(:scopes) { 'write:notifications' } | ||||
|  | ||||
|     it 'clears notifications for the account' do | ||||
|       notification = Fabricate(:notification, account: user.account) | ||||
|       post :clear | ||||
| @@ -41,6 +47,8 @@ RSpec.describe Api::V1::NotificationsController, type: :controller do | ||||
|   end | ||||
|  | ||||
|   describe 'GET #index' do | ||||
|     let(:scopes) { 'read:notifications' } | ||||
|  | ||||
|     before do | ||||
|       first_status = PostStatusService.new.call(user.account, 'Test') | ||||
|       @reblog_of_first_status = ReblogService.new.call(other.account, first_status) | ||||
|   | ||||
| @@ -6,13 +6,15 @@ RSpec.describe Api::V1::ReportsController, type: :controller do | ||||
|   render_views | ||||
|  | ||||
|   let(:user)  { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read write') } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: scopes) } | ||||
|  | ||||
|   before do | ||||
|     allow(controller).to receive(:doorkeeper_token) { token } | ||||
|   end | ||||
|  | ||||
|   describe 'GET #index' do | ||||
|     let(:scopes) { 'read:reports' } | ||||
|  | ||||
|     it 'returns http success' do | ||||
|       get :index | ||||
|  | ||||
| @@ -21,6 +23,7 @@ RSpec.describe Api::V1::ReportsController, type: :controller do | ||||
|   end | ||||
|  | ||||
|   describe 'POST #create' do | ||||
|     let(:scopes)  { 'write:reports' } | ||||
|     let!(:status) { Fabricate(:status) } | ||||
|     let!(:admin)  { Fabricate(:user, admin: true) } | ||||
|  | ||||
|   | ||||
| @@ -6,7 +6,7 @@ RSpec.describe Api::V1::SearchController, type: :controller do | ||||
|   render_views | ||||
|  | ||||
|   let(:user)  { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read') } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read:search') } | ||||
|  | ||||
|   before do | ||||
|     allow(controller).to receive(:doorkeeper_token) { token } | ||||
|   | ||||
| @@ -5,7 +5,7 @@ RSpec.describe Api::V1::Statuses::FavouritedByAccountsController, type: :control | ||||
|  | ||||
|   let(:user)  { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } | ||||
|   let(:app)   { Fabricate(:application, name: 'Test app', website: 'http://testapp.com') } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, application: app) } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, application: app, scopes: 'read:accounts') } | ||||
|  | ||||
|   context 'with an oauth token' do | ||||
|     before do | ||||
|   | ||||
| @@ -7,7 +7,7 @@ describe Api::V1::Statuses::FavouritesController do | ||||
|  | ||||
|   let(:user)  { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } | ||||
|   let(:app)   { Fabricate(:application, name: 'Test app', website: 'http://testapp.com') } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'write', application: app) } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'write:favourites', application: app) } | ||||
|  | ||||
|   context 'with an oauth token' do | ||||
|     before do | ||||
|   | ||||
| @@ -7,7 +7,7 @@ describe Api::V1::Statuses::MutesController do | ||||
|  | ||||
|   let(:user)  { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } | ||||
|   let(:app)   { Fabricate(:application, name: 'Test app', website: 'http://testapp.com') } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'write', application: app) } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'write:mutes', application: app) } | ||||
|  | ||||
|   context 'with an oauth token' do | ||||
|     before do | ||||
|   | ||||
| @@ -7,7 +7,7 @@ describe Api::V1::Statuses::PinsController do | ||||
|  | ||||
|   let(:user)  { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } | ||||
|   let(:app)   { Fabricate(:application, name: 'Test app', website: 'http://testapp.com') } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'write', application: app) } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'write:accounts', application: app) } | ||||
|  | ||||
|   context 'with an oauth token' do | ||||
|     before do | ||||
|   | ||||
| @@ -5,7 +5,7 @@ RSpec.describe Api::V1::Statuses::RebloggedByAccountsController, type: :controll | ||||
|  | ||||
|   let(:user)  { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } | ||||
|   let(:app)   { Fabricate(:application, name: 'Test app', website: 'http://testapp.com') } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, application: app) } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, application: app, scopes: 'read:accounts') } | ||||
|  | ||||
|   context 'with an oauth token' do | ||||
|     before do | ||||
|   | ||||
| @@ -7,7 +7,7 @@ describe Api::V1::Statuses::ReblogsController do | ||||
|  | ||||
|   let(:user)  { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } | ||||
|   let(:app)   { Fabricate(:application, name: 'Test app', website: 'http://testapp.com') } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'write', application: app) } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'write:statuses', application: app) } | ||||
|  | ||||
|   context 'with an oauth token' do | ||||
|     before do | ||||
|   | ||||
| @@ -5,7 +5,7 @@ RSpec.describe Api::V1::StatusesController, type: :controller do | ||||
|  | ||||
|   let(:user)  { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } | ||||
|   let(:app)   { Fabricate(:application, name: 'Test app', website: 'http://testapp.com') } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, application: app, scopes: 'write') } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, application: app, scopes: scopes) } | ||||
|  | ||||
|   context 'with an oauth token' do | ||||
|     before do | ||||
| @@ -13,6 +13,7 @@ RSpec.describe Api::V1::StatusesController, type: :controller do | ||||
|     end | ||||
|  | ||||
|     describe 'GET #show' do | ||||
|       let(:scopes) { 'read:statuses' } | ||||
|       let(:status) { Fabricate(:status, account: user.account) } | ||||
|  | ||||
|       it 'returns http success' do | ||||
| @@ -22,6 +23,7 @@ RSpec.describe Api::V1::StatusesController, type: :controller do | ||||
|     end | ||||
|  | ||||
|     describe 'GET #context' do | ||||
|       let(:scopes) { 'read:statuses' } | ||||
|       let(:status) { Fabricate(:status, account: user.account) } | ||||
|  | ||||
|       before do | ||||
| @@ -35,6 +37,8 @@ RSpec.describe Api::V1::StatusesController, type: :controller do | ||||
|     end | ||||
|  | ||||
|     describe 'POST #create' do | ||||
|       let(:scopes) { 'write:statuses' } | ||||
|  | ||||
|       before do | ||||
|         post :create, params: { status: 'Hello world' } | ||||
|       end | ||||
| @@ -45,6 +49,7 @@ RSpec.describe Api::V1::StatusesController, type: :controller do | ||||
|     end | ||||
|  | ||||
|     describe 'DELETE #destroy' do | ||||
|       let(:scopes) { 'write:statuses' } | ||||
|       let(:status) { Fabricate(:status, account: user.account) } | ||||
|  | ||||
|       before do | ||||
|   | ||||
| @@ -12,7 +12,7 @@ describe Api::V1::Timelines::HomeController do | ||||
|   end | ||||
|  | ||||
|   context 'with a user context' do | ||||
|     let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read') } | ||||
|     let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read:statuses') } | ||||
|  | ||||
|     describe 'GET #show' do | ||||
|       before do | ||||
|   | ||||
| @@ -13,7 +13,7 @@ describe Api::V1::Timelines::ListController do | ||||
|   end | ||||
|  | ||||
|   context 'with a user context' do | ||||
|     let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read') } | ||||
|     let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read:lists') } | ||||
|  | ||||
|     describe 'GET #show' do | ||||
|       before do | ||||
|   | ||||
							
								
								
									
										22
									
								
								spec/controllers/api/v2/search_controller_spec.rb
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										22
									
								
								spec/controllers/api/v2/search_controller_spec.rb
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,22 @@ | ||||
| # frozen_string_literal: true | ||||
|  | ||||
| require 'rails_helper' | ||||
|  | ||||
| RSpec.describe Api::V2::SearchController, type: :controller do | ||||
|   render_views | ||||
|  | ||||
|   let(:user)  { Fabricate(:user, account: Fabricate(:account, username: 'alice')) } | ||||
|   let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read:search') } | ||||
|  | ||||
|   before do | ||||
|     allow(controller).to receive(:doorkeeper_token) { token } | ||||
|   end | ||||
|  | ||||
|   describe 'GET #index' do | ||||
|     it 'returns http success' do | ||||
|       get :index, params: { q: 'test' } | ||||
|  | ||||
|       expect(response).to have_http_status(200) | ||||
|     end | ||||
|   end | ||||
| end | ||||
		Reference in New Issue
	
	Block a user