From 46f6a213efc8f60fd277547fac0b2466a9996f26 Mon Sep 17 00:00:00 2001
From: Tobias Bieniek <tobias@bieniek.cloud>
Date: Thu, 1 Dec 2022 15:20:57 +0100
Subject: [PATCH] crate::owners: Use token scope restrictions

---
 src/controllers/krate/owners.rs |  8 +++++++-
 src/tests/owners.rs             | 20 ++++----------------
 2 files changed, 11 insertions(+), 17 deletions(-)

diff --git a/src/controllers/krate/owners.rs b/src/controllers/krate/owners.rs
index d7e4c737a35..4a9d9b33967 100644
--- a/src/controllers/krate/owners.rs
+++ b/src/controllers/krate/owners.rs
@@ -2,6 +2,7 @@
 
 use crate::auth::AuthCheck;
 use crate::controllers::prelude::*;
+use crate::models::token::EndpointScope;
 use crate::models::{Crate, Owner, Rights, Team, User};
 use crate::views::EncodableOwner;
 
@@ -80,7 +81,12 @@ fn parse_owners_request(req: &mut dyn RequestExt) -> AppResult<Vec<String>> {
 }
 
 fn modify_owners(req: &mut dyn RequestExt, add: bool) -> EndpointResult {
-    let auth = AuthCheck::default().check(req)?;
+    let crate_name = &req.params()["crate_id"];
+
+    let auth = AuthCheck::default()
+        .with_endpoint_scope(EndpointScope::ChangeOwners)
+        .for_crate(crate_name)
+        .check(req)?;
 
     let logins = parse_owners_request(req)?;
     let app = req.app();
diff --git a/src/tests/owners.rs b/src/tests/owners.rs
index 1058312ded6..6aff640082d 100644
--- a/src/tests/owners.rs
+++ b/src/tests/owners.rs
@@ -321,17 +321,11 @@ fn owner_change_via_change_owner_token() {
     let body = json!({ "owners": [user2.gh_login] });
     let body = serde_json::to_vec(&body).unwrap();
     let response = token.put::<()>(&url, &body);
-    assert_eq!(response.status(), StatusCode::FORBIDDEN);
+    assert_eq!(response.status(), StatusCode::OK);
     assert_eq!(
         response.into_json(),
-        json!({ "errors": [{ "detail": "must be logged in to perform that action" }] })
+        json!({ "ok": true, "msg": "user user-2 has been invited to be an owner of crate foo_crate" })
     );
-    // TODO swap these assertions once token scopes are activated for this endpoint
-    // assert_eq!(response.status(), StatusCode::OK);
-    // assert_eq!(
-    //     response.into_json(),
-    //     json!({ "ok": true, "msg": "user user-2 has been invited to be an owner of crate foo_crate" })
-    // );
 }
 
 #[test]
@@ -350,17 +344,11 @@ fn owner_change_via_change_owner_token_with_matching_crate_scope() {
     let body = json!({ "owners": [user2.gh_login] });
     let body = serde_json::to_vec(&body).unwrap();
     let response = token.put::<()>(&url, &body);
-    assert_eq!(response.status(), StatusCode::FORBIDDEN);
+    assert_eq!(response.status(), StatusCode::OK);
     assert_eq!(
         response.into_json(),
-        json!({ "errors": [{ "detail": "must be logged in to perform that action" }] })
+        json!({ "ok": true, "msg": "user user-2 has been invited to be an owner of crate foo_crate" })
     );
-    // TODO swap these assertions once token scopes are activated for this endpoint
-    // assert_eq!(response.status(), StatusCode::OK);
-    // assert_eq!(
-    //     response.into_json(),
-    //     json!({ "ok": true, "msg": "user user-2 has been invited to be an owner of crate foo_crate" })
-    // );
 }
 
 #[test]