From: Anton Khorev <tony29@yandex.ru>
Date: Sat, 21 Dec 2024 02:19:12 +0000 (+0300)
Subject: Test api user traces failing without necessary scope
X-Git-Tag: live~56^2
X-Git-Url: https://git.openstreetmap.org./rails.git/commitdiff_plain/971fbc28b890027e78c17f62f7d410796116f9a2

Test api user traces failing without necessary scope
---

diff --git a/test/controllers/api/users/traces_controller_test.rb b/test/controllers/api/users/traces_controller_test.rb
index 9fdd49271..2f464056f 100644
--- a/test/controllers/api/users/traces_controller_test.rb
+++ b/test/controllers/api/users/traces_controller_test.rb
@@ -20,12 +20,9 @@ module Api
         trace2 = create(:trace, :user => user) do |trace|
           create(:tracetag, :trace => trace, :tag => "Birmingham")
         end
-        # check that nothing is returned when not logged in
-        get api_user_traces_path
-        assert_response :unauthorized
 
         # check that we get a response when logged in
-        auth_header = bearer_authorization_header user
+        auth_header = bearer_authorization_header user, :scopes => %w[read_gpx]
         get api_user_traces_path, :headers => auth_header
         assert_response :success
         assert_equal "application/xml", response.media_type
@@ -38,6 +35,19 @@ module Api
           assert_select "tag", "Birmingham"
         end
       end
+
+      def test_index_anonymous
+        get api_user_traces_path
+        assert_response :unauthorized
+      end
+
+      def test_index_no_scope
+        user = create(:user)
+        bad_auth = bearer_authorization_header user, :scopes => %w[]
+
+        get api_user_traces_path, :headers => bad_auth
+        assert_response :forbidden
+      end
     end
   end
 end