Test api user traces failing without necessary scope

openstreetmap · Dec 21, 2024 · cf784a8 · cf784a8
1 parent bab8a8a
commit cf784a8
Showing 1 changed file with 14 additions and 4 deletions.
diff --git a/test/controllers/api/users/traces_controller_test.rb b/test/controllers/api/users/traces_controller_test.rb
@@ -20,12 +20,9 @@ def test_index
         trace2 = create(:trace, :user => user) do |trace|
           create(:tracetag, :trace => trace, :tag => "Birmingham")
         end
-        # check that nothing is returned when not logged in
-        get api_user_traces_path
-        assert_response :unauthorized
 
         # check that we get a response when logged in
-        auth_header = bearer_authorization_header user
+        auth_header = bearer_authorization_header user, :scopes => %w[read_gpx]
         get api_user_traces_path, :headers => auth_header
         assert_response :success
         assert_equal "application/xml", response.media_type
@@ -38,6 +35,19 @@ def test_index
           assert_select "tag", "Birmingham"
         end
       end
+
+      def test_index_anonymous
+        get api_user_traces_path
+        assert_response :unauthorized
+      end
+
+      def test_index_no_scope
+        user = create(:user)
+        bad_auth = bearer_authorization_header user, :scopes => %w[]
+
+        get api_user_traces_path, :headers => bad_auth
+        assert_response :forbidden
+      end
     end
   end
 end