Add more granular OAuth scopes (#7929)

* Add more granular OAuth scopes * Add human-readable descriptions of the new scopes * Ensure new scopes look good on the app UI * Add tests * Group scopes in screen and color-code dangerous ones * Fix wrong extra scope
2018-07-05 18:31:35 +02:00 · 2018-07-05 18:31:35 +02:00 · 1f6ed4f86a
commit 1f6ed4f86a
parent ca2cc556f1
69 changed files with 295 additions and 105 deletions
--- a/spec/controllers/api/v1/accounts_controller_spec.rb
+++ b/spec/controllers/api/v1/accounts_controller_spec.rb
@ -3,21 +3,38 @@ require 'rails_helper'
 RSpec.describe Api::V1::AccountsController, type: :controller do
  render_views

-  let(:user)  { Fabricate(:user, account: Fabricate(:account, username: 'alice')) }
-  let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'follow read') }
+  let(:user)   { Fabricate(:user, account: Fabricate(:account, username: 'alice')) }
+  let(:scopes) { '' }
+  let(:token)  { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: scopes) }

  before do
    allow(controller).to receive(:doorkeeper_token) { token }
  end

-  describe 'GET #show' do
-    it 'returns http success' do
-      get :show, params: { id: user.account.id }
-      expect(response).to have_http_status(200)
+  shared_examples 'forbidden for wrong scope' do |wrong_scope|
+    let(:scopes) { wrong_scope }
+
+    it 'returns http forbidden' do
+      expect(response).to have_http_status(403)
    end
  end

+  describe 'GET #show' do
+    let(:scopes) { 'read:accounts' }
+
+    before do
+      get :show, params: { id: user.account.id }
+    end
+
+    it 'returns http success' do
+      expect(response).to have_http_status(200)
+    end
+
+    it_behaves_like 'forbidden for wrong scope', 'write:statuses'
+  end
+
  describe 'POST #follow' do
+    let(:scopes) { 'write:follows' }
    let(:other_account) { Fabricate(:user, email: 'bob@example.com', account: Fabricate(:account, username: 'bob', locked: locked)).account }

    before do
@ -41,6 +58,8 @@ RSpec.describe Api::V1::AccountsController, type: :controller do
      it 'creates a following relation between user and target user' do
        expect(user.account.following?(other_account)).to be true
      end
+
+      it_behaves_like 'forbidden for wrong scope', 'read:accounts'
    end

    context 'with locked account' do
@ -60,10 +79,13 @@ RSpec.describe Api::V1::AccountsController, type: :controller do
      it 'creates a follow request relation between user and target user' do
        expect(user.account.requested?(other_account)).to be true
      end
+
+      it_behaves_like 'forbidden for wrong scope', 'read:accounts'
    end
  end

  describe 'POST #unfollow' do
+    let(:scopes) { 'write:follows' }
    let(:other_account) { Fabricate(:user, email: 'bob@example.com', account: Fabricate(:account, username: 'bob')).account }

    before do
@ -78,9 +100,12 @@ RSpec.describe Api::V1::AccountsController, type: :controller do
    it 'removes the following relation between user and target user' do
      expect(user.account.following?(other_account)).to be false
    end
+
+    it_behaves_like 'forbidden for wrong scope', 'read:accounts'
  end

  describe 'POST #block' do
+    let(:scopes) { 'write:blocks' }
    let(:other_account) { Fabricate(:user, email: 'bob@example.com', account: Fabricate(:account, username: 'bob')).account }

    before do
@ -99,9 +124,12 @@ RSpec.describe Api::V1::AccountsController, type: :controller do
    it 'creates a blocking relation' do
      expect(user.account.blocking?(other_account)).to be true
    end
+
+    it_behaves_like 'forbidden for wrong scope', 'read:accounts'
  end

  describe 'POST #unblock' do
+    let(:scopes) { 'write:blocks' }
    let(:other_account) { Fabricate(:user, email: 'bob@example.com', account: Fabricate(:account, username: 'bob')).account }

    before do
@ -116,9 +144,12 @@ RSpec.describe Api::V1::AccountsController, type: :controller do
    it 'removes the blocking relation between user and target user' do
      expect(user.account.blocking?(other_account)).to be false
    end
+
+    it_behaves_like 'forbidden for wrong scope', 'read:accounts'
  end

  describe 'POST #mute' do
+    let(:scopes) { 'write:mutes' }
    let(:other_account) { Fabricate(:user, email: 'bob@example.com', account: Fabricate(:account, username: 'bob')).account }

    before do
@ -141,9 +172,12 @@ RSpec.describe Api::V1::AccountsController, type: :controller do
    it 'mutes notifications' do
      expect(user.account.muting_notifications?(other_account)).to be true
    end
+
+    it_behaves_like 'forbidden for wrong scope', 'read:accounts'
  end

  describe 'POST #mute with notifications set to false' do
+    let(:scopes) { 'write:mutes' }
    let(:other_account) { Fabricate(:user, email: 'bob@example.com', account: Fabricate(:account, username: 'bob')).account }

    before do
@ -166,9 +200,12 @@ RSpec.describe Api::V1::AccountsController, type: :controller do
    it 'does not mute notifications' do
      expect(user.account.muting_notifications?(other_account)).to be false
    end
+
+    it_behaves_like 'forbidden for wrong scope', 'read:accounts'
  end

  describe 'POST #unmute' do
+    let(:scopes) { 'write:mutes' }
    let(:other_account) { Fabricate(:user, email: 'bob@example.com', account: Fabricate(:account, username: 'bob')).account }

    before do
@ -183,5 +220,7 @@ RSpec.describe Api::V1::AccountsController, type: :controller do
    it 'removes the muting relation between user and target user' do
      expect(user.account.muting?(other_account)).to be false
    end
+
+    it_behaves_like 'forbidden for wrong scope', 'read:accounts'
  end
 end