def merge
if !Thread.current[:api_client].andand.is_trusted
return send_error("supplied API token is not from a trusted client", status: 403)
+ elsif Thread.current[:api_client_authorization].scopes != ['all']
+ return send_error("cannot merge with a scoped token", status: 403)
end
dst_auth = ApiClientAuthorization.validate(token: params[:new_user_token])
end
if !dst_auth.api_client.andand.is_trusted
return send_error("supplied new_user_token is not from a trusted client", status: 403)
+ elsif dst_auth.scopes != ['all']
+ return send_error("supplied new_user_token has restricted scope", status: 403)
end
dst_user = dst_auth.user
end
end
+ [['src', :active_trustedclient],
+ ['dst', :project_viewer_trustedclient]].each do |which_scoped, auth|
+ test "refuse to merge with scoped #{which_scoped} token" do
+ act_as_system_user do
+ api_client_authorizations(auth).update_attributes(scopes: ["GET /", "POST /", "PUT /"])
+ end
+ authorize_with(:active_trustedclient)
+ post(:merge, {
+ new_user_token: api_client_authorizations(:project_viewer_trustedclient).api_token,
+ new_owner_uuid: users(:project_viewer).uuid,
+ redirect_to_new_user: true,
+ })
+ assert_response(403)
+ end
+ end
+
test "refuse to merge if new_owner_uuid is not writable" do
authorize_with(:project_viewer_trustedclient)
post(:merge, {