Add gem scope check to owner adds and removals

app/controllers/api/v1/owners_controller.rb

@@ -1,6 +1,7 @@
 class Api::V1::OwnersController < Api::BaseController
   before_action :authenticate_with_api_key, except: %i[show gems]
   before_action :find_rubygem, except: :gems
+  before_action :verify_api_key_gem_scope, except: %i[show gems]
   before_action :verify_gem_ownership, except: %i[show gems]
   before_action :verify_mfa_requirement, except: %i[show gems]
   before_action :verify_with_otp, except: %i[show gems]

test/functional/api/v1/owners_controller_test.rb

@@ -262,6 +262,34 @@ def self.should_respond_to(format)
           assert_includes @rubygem.owners_including_unconfirmed, @second_user
         end
       end
+
+      context "with api key gem scoped" do
+        context "to another gem" do
+          setup do
+            another_rubygem_ownership = create(:ownership, user: @user, rubygem: create(:rubygem, name: "test"))
+
+            @api_key.update(ownership: another_rubygem_ownership)
+            post :create, params: { rubygem_id: @rubygem.to_param, email: @second_user.email }, format: :json
+          end
+
+          should respond_with :forbidden
+          should "not add other user as gem owner" do
+            refute_includes @rubygem.owners, @second_user
+          end
+        end
+
+        context "to the same gem" do
+          setup do
+            @api_key.update(rubygem_id: @rubygem.id)
+            post :create, params: { rubygem_id: @rubygem.to_param, email: @second_user.email }, format: :json
+          end
+
+          should respond_with :success
+          should "adds other user as gem owner" do
+            assert_includes @rubygem.owners_including_unconfirmed, @second_user
+          end
+        end
+      end
     end
 
     context "without add owner api key scope" do
@@ -294,7 +322,7 @@ def self.should_respond_to(format)
         create(:ownership, rubygem: @rubygem, user: @user)
         @ownership = create(:ownership, rubygem: @rubygem, user: @second_user)
 
-        create(:api_key, key: "12223", remove_owner: true, user: @user)
+        @api_key = create(:api_key, key: "12223", remove_owner: true, user: @user)
         @request.env["HTTP_AUTHORIZATION"] = "12223"
       end
 
@@ -406,6 +434,35 @@ def self.should_respond_to(format)
           end
         end
       end
+
+      context "with api key gem scoped" do
+        context "to another gem" do
+          setup do
+            another_rubygem_ownership = create(:ownership, user: @user, rubygem: create(:rubygem, name: "test"))
+
+            @api_key.update(ownership: another_rubygem_ownership)
+            post :destroy, params: { rubygem_id: @rubygem.to_param, email: @second_user.email }, format: :json
+          end
+
+          should respond_with :forbidden
+          should "not remove other user as gem owner" do
+            assert_includes @rubygem.owners, @second_user
+            assert_equal "This API key cannot perform the specified action on this gem.", @response.body
+          end
+        end
+
+        context "to the same gem" do
+          setup do
+            @api_key.update(rubygem_id: @rubygem.id)
+            post :destroy, params: { rubygem_id: @rubygem.to_param, email: @second_user.email }, format: :json
+          end
+
+          should respond_with :success
+          should "removes other user as gem owner" do
+            refute_includes @rubygem.owners, @second_user
+          end
+        end
+      end
     end
 
     context "without remove owner api key scope" do