crate::owners: Use token scope restrictions

Turbo87 · Turbo87 · commit 3ecd7c16df52 · 2022-12-01T15:21:22.000+01:00
diff --git a/src/controllers/krate/owners.rs b/src/controllers/krate/owners.rs
@@ -2,6 +2,7 @@
 
 use crate::auth::AuthCheck;
 use crate::controllers::prelude::*;
+use crate::models::token::EndpointScope;
 use crate::models::{Crate, Owner, Rights, Team, User};
 use crate::views::EncodableOwner;
 
@@ -80,7 +81,12 @@ fn parse_owners_request(req: &mut dyn RequestExt) -> AppResult<Vec<String>> {
 }
 
 fn modify_owners(req: &mut dyn RequestExt, add: bool) -> EndpointResult {
-    let auth = AuthCheck::default().check(req)?;
+    let crate_name = &req.params()["crate_id"];
+
+    let auth = AuthCheck::default()
+        .with_endpoint_scope(EndpointScope::ChangeOwners)
+        .for_crate(crate_name)
+        .check(req)?;
 
     let logins = parse_owners_request(req)?;
     let app = req.app();
diff --git a/src/tests/owners.rs b/src/tests/owners.rs
@@ -367,17 +367,11 @@ fn owner_change_via_change_owner_token_with_wrong_crate_scope() {
     let body = json!({ "owners": [user2.gh_login] });
     let body = serde_json::to_vec(&body).unwrap();
     let response = token.put::<()>(&url, &body);
-    assert_eq!(response.status(), StatusCode::OK);
+    assert_eq!(response.status(), StatusCode::FORBIDDEN);
     assert_eq!(
         response.into_json(),
-        json!({ "ok": true, "msg": "user user-2 has been invited to be an owner of crate foo_crate" })
+        json!({ "errors": [{ "detail": "must be logged in to perform that action" }] })
     );
-    // TODO this should return "403 Forbidden" once token scopes are implemented for this endpoint
-    // assert_eq!(response.status(), StatusCode::FORBIDDEN);
-    // assert_eq!(
-    //     response.into_json(),
-    //     json!({ "errors": [{ "detail": "must be logged in to perform that action" }] })
-    // );
 }
 
 #[test]
@@ -395,17 +389,11 @@ fn owner_change_via_publish_token() {
     let body = json!({ "owners": [user2.gh_login] });
     let body = serde_json::to_vec(&body).unwrap();
     let response = token.put::<()>(&url, &body);
-    assert_eq!(response.status(), StatusCode::OK);
+    assert_eq!(response.status(), StatusCode::FORBIDDEN);
     assert_eq!(
         response.into_json(),
-        json!({ "ok": true, "msg": "user user-2 has been invited to be an owner of crate foo_crate" })
+        json!({ "errors": [{ "detail": "must be logged in to perform that action" }] })
     );
-    // TODO this should return "403 Forbidden" once token scopes are implemented for this endpoint
-    // assert_eq!(response.status(), StatusCode::FORBIDDEN);
-    // assert_eq!(
-    //     response.into_json(),
-    //     json!({ "errors": [{ "detail": "must be logged in to perform that action" }] })
-    // );
 }
 
 #[test]
