From 8699c8338f21404aa08c9a141768201ed02b2c93 Mon Sep 17 00:00:00 2001 From: Markus Koller Date: Mon, 6 Feb 2017 16:39:35 +0100 Subject: Require explicit scopes on personal access tokens Gitlab::Auth and API::APIGuard already check for at least one valid scope on personal access tokens, so if the scopes are empty the token will always fail validation. --- spec/models/personal_access_token_spec.rb | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) (limited to 'spec/models/personal_access_token_spec.rb') diff --git a/spec/models/personal_access_token_spec.rb b/spec/models/personal_access_token_spec.rb index 4cc9cf02e6d..50f61ec18fd 100644 --- a/spec/models/personal_access_token_spec.rb +++ b/spec/models/personal_access_token_spec.rb @@ -13,19 +13,27 @@ describe PersonalAccessToken, models: true do end end - describe 'validate_scopes' do + context "validations" do + let(:personal_access_token) { build(:personal_access_token) } + + it "requires at least one scope" do + personal_access_token.scopes = [] + + expect(personal_access_token).not_to be_valid + expect(personal_access_token.errors[:scopes].first).to eq "can't be blank" + end + it "allows creating a token with API scopes" do - personal_access_token = build(:personal_access_token) personal_access_token.scopes = [:api, :read_user] expect(personal_access_token).to be_valid end it "rejects creating a token with non-API scopes" do - personal_access_token = build(:personal_access_token) personal_access_token.scopes = [:openid, :api] expect(personal_access_token).not_to be_valid + expect(personal_access_token.errors[:scopes].first).to eq "can only contain API scopes" end end end -- cgit v1.2.1