Test `/users` endpoints for the `read_user` scope.

- Test `GET` endpoints to check that the scope is allowed.
- Test `POST` endpoints to check that the scope is disallowed.
- Test both `v3` and `v4` endpoints.

4 files changed, 78 insertions, 34 deletions

diff --git a/spec/requests/api/users_spec.rb b/spec/requests/api/users_spec.rb
index 982c1a50e3b..f0edc06cd0b 100644
--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -50,28 +50,6 @@ describe API::Users do
         end['username']).to eq(username)
       end
 
-      context "scopes" do
-        context 'when the requesting token has the "read_user" scope' do
-          let(:token) { create(:personal_access_token, scopes: ['read_user']) }
-
-          it 'returns a "200" response' do
-            get api("/users", user, personal_access_token: token)
-
-            expect(response).to have_http_status(200)
-          end
-        end
-
-        context 'when the requesting token does not have any required scope' do
-          let(:token) { create(:personal_access_token, scopes: ['read_registry']) }
-
-          it 'returns a "401" response' do
-            get api("/users", user, personal_access_token: token)
-
-            expect(response).to have_http_status(401)
-          end
-        end
-      end
-
       it "returns an array of blocked users" do
         ldap_blocked_user
         create(:user, state: 'blocked')
@@ -104,6 +82,13 @@ describe API::Users do
 
         expect(json_response.first.keys).not_to include 'is_admin'
       end
+
+      context "scopes" do
+        let(:path) { "/users" }
+        let(:api_call) { method(:api) }
+
+        include_examples 'allows the "read_user" scope'
+      end
     end
 
     context "when admin" do
@@ -186,6 +171,13 @@ describe API::Users do
 
       expect(response).to have_http_status(404)
     end
+
+    context "scopes" do
+      let(:path) { "/users/#{user.id}" }
+      let(:api_call) { method(:api) }
+
+      include_examples 'allows the "read_user" scope'
+    end
   end
 
   describe "POST /users" do
@@ -321,16 +313,6 @@ describe API::Users do
         .to eq([Gitlab::PathRegex.namespace_format_message])
     end
 
-    context 'when the requesting token has the "read_user" scope' do
-      let(:token) { create(:personal_access_token, scopes: ['read_user'], user: admin) }
-
-      it 'returns a "401" response' do
-        post api("/users", admin, personal_access_token: token), attributes_for(:user, projects_limit: 3)
-
-        expect(response).to have_http_status(401)
-      end
-    end
-
     it "is not available for non admin users" do
       post api("/users", user), attributes_for(:user)
       expect(response).to have_http_status(403)
@@ -377,6 +359,14 @@ describe API::Users do
         expect(json_response['identities'].first['provider']).to eq('github')
       end
     end
+
+    context "scopes" do
+      let(:user) { admin }
+      let(:path) { '/users' }
+      let(:api_call) { method(:api) }
+
+      include_examples 'does not allow the "read_user" scope'
+    end
   end
 
   describe "GET /users/sign_up" do
diff --git a/spec/requests/api/v3/users_spec.rb b/spec/requests/api/v3/users_spec.rb
index 6d7401f9764..b2c5003c97a 100644
--- a/spec/requests/api/v3/users_spec.rb
+++ b/spec/requests/api/v3/users_spec.rb
@@ -67,6 +67,19 @@ describe API::V3::Users do
         expect(json_response.first['title']).to eq(key.title)
       end
     end
+
+    context "scopes" do
+      let(:user) { admin }
+      let(:path) { "/users/#{user.id}/keys" }
+      let(:api_call) { method(:v3_api) }
+
+      before do
+        user.keys << key
+        user.save
+      end
+
+      include_examples 'allows the "read_user" scope'
+    end
   end
 
   describe 'GET /user/:id/emails' do
@@ -312,5 +325,13 @@ describe API::V3::Users do
 
       expect(json_response['is_admin']).to be_nil
     end
+
+    context "scopes" do
+      let(:user) { admin }
+      let(:path) { '/users' }
+      let(:api_call) { method(:v3_api) }
+
+      include_examples 'does not allow the "read_user" scope'
+    end
   end
 end
diff --git a/spec/support/api/scopes/read_user_shared_examples.rb b/spec/support/api/scopes/read_user_shared_examples.rb
new file mode 100644
index 00000000000..bb5f493f3fd
--- /dev/null
+++ b/spec/support/api/scopes/read_user_shared_examples.rb
@@ -0,0 +1,33 @@
+shared_examples_for 'allows the "read_user" scope' do
+  describe 'when the requesting token has the "read_user" scope' do
+    let(:token) { create(:personal_access_token, scopes: ['read_user'], user: user) }
+
+    it 'returns a "200" response' do
+      get api_call.call(path, user, personal_access_token: token)
+
+      expect(response).to have_http_status(200)
+    end
+  end
+
+  describe 'when the requesting token does not have any required scope' do
+    let(:token) { create(:personal_access_token, scopes: ['read_registry'], user: user) }
+
+    it 'returns a "401" response' do
+      get api_call.call(path, user, personal_access_token: token)
+
+      expect(response).to have_http_status(401)
+    end
+  end
+end
+
+shared_examples_for 'does not allow the "read_user" scope' do
+  context 'when the requesting token has the "read_user" scope' do
+    let(:token) { create(:personal_access_token, scopes: ['read_user'], user: user) }
+
+    it 'returns a "401" response' do
+      post api_call.call(path, user, personal_access_token: token), attributes_for(:user, projects_limit: 3)
+
+      expect(response).to have_http_status(401)
+    end
+  end
+end
diff --git a/spec/support/api_helpers.rb b/spec/support/api_helpers.rb
index 163979a2a28..1becd302d77 100644
--- a/spec/support/api_helpers.rb
+++ b/spec/support/api_helpers.rb
@@ -34,8 +34,8 @@ module ApiHelpers
   end
 
   # Temporary helper method for simplifying V3 exclusive API specs
-  def v3_api(path, user = nil)
-    api(path, user, version: 'v3')
+  def v3_api(path, user = nil, personal_access_token: nil)
+    api(path, user, version: 'v3', personal_access_token: personal_access_token)
   end
 
   def ci_api(path, user = nil)