analytics/test/plausible_web/plugs/authorise_site_access_test.exs

defmodule PlausibleWeb.AuthorizeSiteAccessTest do
  use PlausibleWeb.ConnCase, async: true
  alias PlausibleWeb.AuthorizeSiteAccess

  setup [:create_user, :log_in]

  test "doesn't allow :website bypass with :domain in body", %{conn: conn, user: me} do
    my_site = insert(:site, memberships: [build(:site_membership, user: me, role: :owner)])

    other_site =
      insert(:site, memberships: [build(:site_membership, user: insert(:user), role: :owner)])

    conn =
      conn
      |> bypass_through(PlausibleWeb.Router)
      |> get("/#{other_site.domain}/settings", %{"domain" => my_site.domain})
      |> AuthorizeSiteAccess.call(_allowed_roles = [:admin, :owner])

    assert conn.halted
    assert conn.status == 404
    assert conn.path_params == %{"website" => other_site.domain}
  end
end
Auth updates 2022-08-05 10:24:24 +03:00			`defmodule PlausibleWeb.AuthorizeSiteAccessTest do`
			`use PlausibleWeb.ConnCase, async: true`
			`alias PlausibleWeb.AuthorizeSiteAccess`

			`setup [:create_user, :log_in]`

			`test "doesn't allow :website bypass with :domain in body", %{conn: conn, user: me} do`
			`my_site = insert(:site, memberships: [build(:site_membership, user: me, role: :owner)])`

			`other_site =`
			`insert(:site, memberships: [build(:site_membership, user: insert(:user), role: :owner)])`

			`conn =`
			`conn`
			`\|> bypass_through(PlausibleWeb.Router)`
			`\|> get("/#{other_site.domain}/settings", %{"domain" => my_site.domain})`
			`\|> AuthorizeSiteAccess.call(_allowed_roles = [:admin, :owner])`

			`assert conn.halted`
			`assert conn.status == 404`
			`assert conn.path_params == %{"website" => other_site.domain}`
			`end`
			`end`