Check that use of privileged scopes is restricted to administrators

diff --git a/test/controllers/oauth2_applications_controller_test.rb b/test/controllers/oauth2_applications_controller_test.rb
index 338144a95d95e643c9b720e07f459845b29e7ea7..149b6ee35ec458c3a59305dc474311254cd9412a 100644 (file)
--- a/test/controllers/oauth2_applications_controller_test.rb
+++ b/test/controllers/oauth2_applications_controller_test.rb
@@ -115,6 +115,32 @@ class Oauth2ApplicationsControllerTest < ActionDispatch::IntegrationTest
     assert_redirected_to oauth_application_path(:id => Doorkeeper::Application.find_by(:name => "Test Application").id)
   end
 
+  def test_create_privileged
+    session_for(create(:user))
+
+    assert_difference "Doorkeeper::Application.count", 0 do
+      post oauth_applications_path(:oauth2_application => {
+                                     :name => "Test Application",
+                                     :redirect_uri => "https://test.example.com/",
+                                     :scopes => ["read_email"]
+                                   })
+    end
+    assert_response :success
+    assert_template "oauth2_applications/new"
+
+    session_for(create(:administrator_user))
+
+    assert_difference "Doorkeeper::Application.count", 1 do
+      post oauth_applications_path(:oauth2_application => {
+                                     :name => "Test Application",
+                                     :redirect_uri => "https://test.example.com/",
+                                     :scopes => ["read_email"]
+                                   })
+    end
+    assert_response :redirect
+    assert_redirected_to oauth_application_path(:id => Doorkeeper::Application.find_by(:name => "Test Application").id)
+  end
+
   def test_show
     user = create(:user)
     client = create(:oauth_application, :owner => user)