+ test "narrow + wide scoped tokens for different users" do
+ get_args = {
+ params: {
+ reader_tokens: [api_client_authorizations(:anonymous).api_token]
+ },
+ headers: auth(:active_userlist),
+ }
+ get(v1_url('users'), **get_args)
+ assert_response :success
+ get(v1_url('users', ''), **get_args) # Add trailing slash.
+ assert_response :success
+ get(v1_url('users', 'current'), **get_args)
+ assert_response 403
+ get(v1_url('virtual_machines'), **get_args)
+ assert_response 403
+ end
+
+ test "collections token can see exactly owned collections" do
+ get_args = {params: {}, headers: auth(:active_all_collections)}
+ get(v1_url('collections'), **get_args)
+ assert_response 403
+ get(v1_url('collections', collections(:collection_owned_by_active).uuid), **get_args)
+ assert_response :success
+ head(v1_url('collections', collections(:collection_owned_by_active).uuid), **get_args)
+ assert_response :success
+ get(v1_url('collections', collections(:collection_owned_by_foo).uuid), **get_args)
+ assert_includes(403..404, @response.status)