From: Tom Hughes Date: Sun, 1 Aug 2021 21:22:12 +0000 (+0100) Subject: Check that use of privileged scopes is restricted to administrators X-Git-Tag: live~2066^2~1 X-Git-Url: https://git.openstreetmap.org./rails.git/commitdiff_plain/5723ba06243fcf7c0a56e68c245a23ab267c841b?ds=sidebyside;hp=--cc Check that use of privileged scopes is restricted to administrators --- 5723ba06243fcf7c0a56e68c245a23ab267c841b diff --git a/test/controllers/oauth2_applications_controller_test.rb b/test/controllers/oauth2_applications_controller_test.rb index 338144a95..149b6ee35 100644 --- a/test/controllers/oauth2_applications_controller_test.rb +++ b/test/controllers/oauth2_applications_controller_test.rb @@ -115,6 +115,32 @@ class Oauth2ApplicationsControllerTest < ActionDispatch::IntegrationTest assert_redirected_to oauth_application_path(:id => Doorkeeper::Application.find_by(:name => "Test Application").id) end + def test_create_privileged + session_for(create(:user)) + + assert_difference "Doorkeeper::Application.count", 0 do + post oauth_applications_path(:oauth2_application => { + :name => "Test Application", + :redirect_uri => "https://test.example.com/", + :scopes => ["read_email"] + }) + end + assert_response :success + assert_template "oauth2_applications/new" + + session_for(create(:administrator_user)) + + assert_difference "Doorkeeper::Application.count", 1 do + post oauth_applications_path(:oauth2_application => { + :name => "Test Application", + :redirect_uri => "https://test.example.com/", + :scopes => ["read_email"] + }) + end + assert_response :redirect + assert_redirected_to oauth_application_path(:id => Doorkeeper::Application.find_by(:name => "Test Application").id) + end + def test_show user = create(:user) client = create(:oauth_application, :owner => user)