Chat moderation: add tests for unauthorized access

2024-06-16 04:00:44 +00:00 · 2020-09-11 14:00:34 -05:00 · 2020-09-11 14:00:34 -05:00 · dfb831ca39
parent e229536e5c
commit dfb831ca39
3 changed files with 109 additions and 2 deletions
--- a/docs/API/admin_api.md
+++ b/docs/API/admin_api.md
@ -1395,7 +1395,7 @@ Loads json generated from `config/descriptions.exs`.

 ### List the messages in a chat

- Params: None
+- Params: `max_id`, `min_id`

 - Response:

--- a/test/web/admin_api/controllers/admin_api_controller_test.exs
+++ b/test/web/admin_api/controllers/admin_api_controller_test.exs
@ -1528,6 +1528,35 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
    end
  end

+  describe "GET /api/pleroma/admin/users/:nickname/chats unauthorized" do
+    setup do
+      user = insert(:user)
+      insert(:chat, user: user)
+      %{conn: conn} = oauth_access(["read:chats"])
+      %{conn: conn, user: user}
+    end
+
+    test "returns 403", %{conn: conn, user: user} do
+      conn
+      |> get("/api/pleroma/admin/users/#{user.nickname}/chats")
+      |> json_response(403)
+    end
+  end
+
+  describe "GET /api/pleroma/admin/users/:nickname/chats unauthenticated" do
+    setup do
+      user = insert(:user)
+      insert(:chat, user: user)
+      %{conn: build_conn(), user: user}
+    end
+
+    test "returns 403", %{conn: conn, user: user} do
+      conn
+      |> get("/api/pleroma/admin/users/#{user.nickname}/chats")
+      |> json_response(403)
+    end
+  end
+
  describe "GET /api/pleroma/admin/moderation_log" do
    setup do
      moderator = insert(:user, is_moderator: true)
--- a/test/web/admin_api/controllers/chat_controller_test.exs
+++ b/test/web/admin_api/controllers/chat_controller_test.exs
@ -15,7 +15,7 @@ defmodule Pleroma.Web.AdminAPI.ChatControllerTest do
  alias Pleroma.Repo
  alias Pleroma.Web.CommonAPI

-  setup do
+  defp admin_setup do
    admin = insert(:user, is_admin: true)
    token = insert(:oauth_admin_token, user: admin)

@ -28,6 +28,8 @@ defmodule Pleroma.Web.AdminAPI.ChatControllerTest do
  end

  describe "DELETE /api/pleroma/admin/chats/:id/messages/:message_id" do
+    setup do: admin_setup()
+
    test "it deletes a message from the chat", %{conn: conn, admin: admin} do
      user = insert(:user)
      recipient = insert(:user)
@ -59,6 +61,8 @@ defmodule Pleroma.Web.AdminAPI.ChatControllerTest do
  end

  describe "GET /api/pleroma/admin/chats/:id/messages" do
+    setup do: admin_setup()
+
    test "it paginates", %{conn: conn} do
      user = insert(:user)
      recipient = insert(:user)
@ -111,6 +115,8 @@ defmodule Pleroma.Web.AdminAPI.ChatControllerTest do
  end

  describe "GET /api/pleroma/admin/chats/:id" do
+    setup do: admin_setup()
+
    test "it returns a chat", %{conn: conn} do
      user = insert(:user)
      other_user = insert(:user)
@ -128,4 +134,76 @@ defmodule Pleroma.Web.AdminAPI.ChatControllerTest do
      refute result["account"]
    end
  end
+
+  describe "unauthorized chat moderation" do
+    setup do
+      user = insert(:user)
+      recipient = insert(:user)
+
+      {:ok, message} = CommonAPI.post_chat_message(user, recipient, "Yo")
+      object = Object.normalize(message, false)
+      chat = Chat.get(user.id, recipient.ap_id)
+      cm_ref = MessageReference.for_chat_and_object(chat, object)
+
+      %{conn: conn} = oauth_access(["read:chats", "write:chats"])
+      %{conn: conn, chat: chat, cm_ref: cm_ref}
+    end
+
+    test "DELETE /api/pleroma/admin/chats/:id/messages/:message_id", %{conn: conn, chat: chat, cm_ref: cm_ref} do
+      conn
+      |> put_req_header("content-type", "application/json")
+      |> delete("/api/pleroma/admin/chats/#{chat.id}/messages/#{cm_ref.id}")
+      |> json_response(403)
+
+      assert MessageReference.get_by_id(cm_ref.id) == cm_ref
+    end
+
+    test "GET /api/pleroma/admin/chats/:id/messages", %{conn: conn, chat: chat} do
+      conn
+      |> get("/api/pleroma/admin/chats/#{chat.id}/messages")
+      |> json_response(403)
+    end
+
+    test "GET /api/pleroma/admin/chats/:id", %{conn: conn, chat: chat} do
+      conn
+      |> get("/api/pleroma/admin/chats/#{chat.id}")
+      |> json_response(403)
+    end
+  end
+
+  describe "unauthenticated chat moderation" do
+    setup do
+      user = insert(:user)
+      recipient = insert(:user)
+
+      {:ok, message} = CommonAPI.post_chat_message(user, recipient, "Yo")
+      object = Object.normalize(message, false)
+      chat = Chat.get(user.id, recipient.ap_id)
+      cm_ref = MessageReference.for_chat_and_object(chat, object)
+
+      %{conn: build_conn(), chat: chat, cm_ref: cm_ref}
+    end
+
+    test "DELETE /api/pleroma/admin/chats/:id/messages/:message_id", %{conn: conn, chat: chat, cm_ref: cm_ref} do
+      conn
+      |> put_req_header("content-type", "application/json")
+      |> delete("/api/pleroma/admin/chats/#{chat.id}/messages/#{cm_ref.id}")
+      |> json_response(403)
+
+      assert MessageReference.get_by_id(cm_ref.id) == cm_ref
+    end
+
+    test "GET /api/pleroma/admin/chats/:id/messages", %{conn: conn, chat: chat} do
+      conn
+      |> get("/api/pleroma/admin/chats/#{chat.id}/messages")
+      |> json_response(403)
+    end
+
+    test "GET /api/pleroma/admin/chats/:id", %{conn: conn, chat: chat} do
+      conn
+      |> get("/api/pleroma/admin/chats/#{chat.id}")
+      |> json_response(403)
+    end
+  end
+
 end