Check that use of privileged scopes is restricted to administrators

2021-08-01 22:22:12 +01:00 · 2021-08-01 22:22:12 +01:00 · 5723ba0624
commit 5723ba0624
parent 64604a852f
1 changed files with 26 additions and 0 deletions
--- a/test/controllers/oauth2_applications_controller_test.rb
+++ b/test/controllers/oauth2_applications_controller_test.rb
@ -115,6 +115,32 @@ class Oauth2ApplicationsControllerTest < ActionDispatch::IntegrationTest
    assert_redirected_to oauth_application_path(:id => Doorkeeper::Application.find_by(:name => "Test Application").id)
  end

+  def test_create_privileged
+    session_for(create(:user))
+
+    assert_difference "Doorkeeper::Application.count", 0 do
+      post oauth_applications_path(:oauth2_application => {
+                                     :name => "Test Application",
+                                     :redirect_uri => "https://test.example.com/",
+                                     :scopes => ["read_email"]
+                                   })
+    end
+    assert_response :success
+    assert_template "oauth2_applications/new"
+
+    session_for(create(:administrator_user))
+
+    assert_difference "Doorkeeper::Application.count", 1 do
+      post oauth_applications_path(:oauth2_application => {
+                                     :name => "Test Application",
+                                     :redirect_uri => "https://test.example.com/",
+                                     :scopes => ["read_email"]
+                                   })
+    end
+    assert_response :redirect
+    assert_redirected_to oauth_application_path(:id => Doorkeeper::Application.find_by(:name => "Test Application").id)
+  end
+
  def test_show
    user = create(:user)
    client = create(:oauth_application, :owner => user)