From 971fbc28b890027e78c17f62f7d410796116f9a2 Mon Sep 17 00:00:00 2001
From: Anton Khorev <tony29@yandex.ru>
Date: Sat, 21 Dec 2024 05:19:12 +0300
Subject: [PATCH] Test api user traces failing without necessary scope

---
 .../api/users/traces_controller_test.rb        | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/test/controllers/api/users/traces_controller_test.rb b/test/controllers/api/users/traces_controller_test.rb
index 9fdd492714..2f464056f4 100644
--- a/test/controllers/api/users/traces_controller_test.rb
+++ b/test/controllers/api/users/traces_controller_test.rb
@@ -20,12 +20,9 @@ def test_index
         trace2 = create(:trace, :user => user) do |trace|
           create(:tracetag, :trace => trace, :tag => "Birmingham")
         end
-        # check that nothing is returned when not logged in
-        get api_user_traces_path
-        assert_response :unauthorized
 
         # check that we get a response when logged in
-        auth_header = bearer_authorization_header user
+        auth_header = bearer_authorization_header user, :scopes => %w[read_gpx]
         get api_user_traces_path, :headers => auth_header
         assert_response :success
         assert_equal "application/xml", response.media_type
@@ -38,6 +35,19 @@ def test_index
           assert_select "tag", "Birmingham"
         end
       end
+
+      def test_index_anonymous
+        get api_user_traces_path
+        assert_response :unauthorized
+      end
+
+      def test_index_no_scope
+        user = create(:user)
+        bad_auth = bearer_authorization_header user, :scopes => %w[]
+
+        get api_user_traces_path, :headers => bad_auth
+        assert_response :forbidden
+      end
     end
   end
 end