diff options
| author | Markus Koller <markus-koller@gmx.ch> | 2017-02-06 18:39:35 +0300 |
|---|---|---|
| committer | Alexis Reigel <mail@koffeinfrei.org> | 2017-03-07 17:00:29 +0300 |
| commit | 8699c8338f21404aa08c9a141768201ed02b2c93 (patch) | |
| tree | 168b3277c3c23a49268ec11dc38ed284ee610825 /spec/controllers/profiles | |
| parent | eefbc837301acc49a33617063faafa97adee307e (diff) | |
Require explicit scopes on personal access tokens
Gitlab::Auth and API::APIGuard already check for at least one valid
scope on personal access tokens, so if the scopes are empty the token
will always fail validation.
Diffstat (limited to 'spec/controllers/profiles')
| -rw-r--r-- | spec/controllers/profiles/personal_access_tokens_spec.rb | 29 |
1 files changed, 7 insertions, 22 deletions
diff --git a/spec/controllers/profiles/personal_access_tokens_spec.rb b/spec/controllers/profiles/personal_access_tokens_spec.rb index 9d5f4c99f6d..19572ce53b7 100644 --- a/spec/controllers/profiles/personal_access_tokens_spec.rb +++ b/spec/controllers/profiles/personal_access_tokens_spec.rb @@ -2,6 +2,7 @@ require 'spec_helper' describe Profiles::PersonalAccessTokensController do let(:user) { create(:user) } + let(:token_attributes) { attributes_for(:personal_access_token) } describe '#create' do def created_token @@ -10,40 +11,24 @@ describe Profiles::PersonalAccessTokensController do before { sign_in(user) } - it "allows creation of a token" do - name = FFaker::Product.brand + it "allows creation of a token with scopes" do + scopes = %w[api read_user] - post :create, personal_access_token: { name: name } + post :create, personal_access_token: token_attributes.merge(scopes: scopes) expect(created_token).not_to be_nil - expect(created_token.name).to eq(name) - expect(created_token.expires_at).to be_nil + expect(created_token.name).to eq(token_attributes[:name]) + expect(created_token.scopes).to eq(scopes) expect(PersonalAccessToken.active).to include(created_token) end it "allows creation of a token with an expiry date" do expires_at = 5.days.from_now - post :create, personal_access_token: { name: FFaker::Product.brand, expires_at: expires_at } + post :create, personal_access_token: token_attributes.merge(expires_at: expires_at) expect(created_token).not_to be_nil expect(created_token.expires_at.to_i).to eq(expires_at.to_i) end - - context "scopes" do - it "allows creation of a token with scopes" do - post :create, personal_access_token: { name: FFaker::Product.brand, scopes: %w(api read_user) } - - expect(created_token).not_to be_nil - expect(created_token.scopes).to eq(%w(api read_user)) - end - - it "allows creation of a token with no scopes" do - post :create, personal_access_token: { name: FFaker::Product.brand, scopes: [] } - - expect(created_token).not_to be_nil - expect(created_token.scopes).to eq([]) - end - end end end |