github/mealie
1
0
Fork 0
mirror of https://github.com/mealie-recipes/mealie.git synced 2025-02-23 18:37:23 -08:00
Code Issues Packages Projects Releases Wiki Activity
mealie/tests/integration_tests/user_tests/test_user_crud.py
Kuchenpirat bf616f9db5
fix: prevent users from updating their own household privileges (#4928) 
Co-authored-by: Michael Genson <71845777+michael-genson@users.noreply.github.com>
2025-01-22 16:06:41 +00:00

115 lines
4.9 KiB
Python
Raw Permalink Blame History

import pytest
from fastapi.testclient import TestClient
from tests.utils import api_routes
from tests.utils.factories import random_email, random_int, random_string
from tests.utils.fixture_schemas import TestUser
@pytest.mark.parametrize("use_admin_user", [True, False])
def test_get_all_users_admin(request: pytest.FixtureRequest, api_client: TestClient, use_admin_user: bool):
user: TestUser
if use_admin_user:
user = request.getfixturevalue("admin_user")
else:
user = request.getfixturevalue("unique_user")
database = user.repos
user_ids: set[str] = set()
for _ in range(random_int(2, 5)):
group = database.groups.create({"name": random_string()})
household = database.households.create({"name": random_string(), "group_id": group.id})
for _ in range(random_int(2, 5)):
new_user = database.users.create(
{
"username": random_string(),
"email": random_email(),
"group": group.name,
"household": household.name,
"full_name": random_string(),
"password": random_string(),
"admin": False,
}
)
user_ids.add(str(new_user.id))
response = api_client.get(api_routes.admin_users, params={"perPage": -1}, headers=user.token)
if not use_admin_user:
assert response.status_code == 403
return
assert response.status_code == 200
# assert all users from all groups are returned
response_user_ids = {user["id"] for user in response.json()["items"]}
for user_id in user_ids:
assert user_id in response_user_ids
def test_user_update(api_client: TestClient, unique_user: TestUser, admin_user: TestUser):
response = api_client.get(api_routes.users_self, headers=unique_user.token)
user = response.json()
# valid request without updates
response = api_client.put(api_routes.users_item_id(unique_user.user_id), json=user, headers=unique_user.token)
assert response.status_code == 200
# valid request with updates
tmp_user = user.copy()
tmp_user["email"] = random_email()
tmp_user["full_name"] = random_string()
response = api_client.put(api_routes.users_item_id(unique_user.user_id), json=tmp_user, headers=unique_user.token)
assert response.status_code == 200
# test user attempting to update another user
form = {"email": admin_user.email, "full_name": admin_user.full_name}
response = api_client.put(api_routes.users_item_id(admin_user.user_id), json=form, headers=unique_user.token)
assert response.status_code == 403
# test user attempting permission changes
permissions = ["canInvite", "canManage", "canManageHousehold", "canOrganize", "advanced", "admin"]
for permission in permissions:
tmp_user = user.copy()
tmp_user[permission] = not user[permission]
response = api_client.put(api_routes.users_item_id(unique_user.user_id), json=form, headers=unique_user.token)
assert response.status_code == 403
# test user attempting to change group
tmp_user = user.copy()
tmp_user["group"] = random_string()
response = api_client.put(api_routes.users_item_id(unique_user.user_id), json=tmp_user, headers=unique_user.token)
assert response.status_code == 403
# test user attempting to change household
tmp_user = user.copy()
tmp_user["household"] = random_string()
response = api_client.put(api_routes.users_item_id(unique_user.user_id), json=tmp_user, headers=unique_user.token)
assert response.status_code == 403
def test_admin_updates(api_client: TestClient, admin_user: TestUser, unique_user: TestUser):
response = api_client.get(api_routes.users_item_id(unique_user.user_id), headers=admin_user.token)
user = response.json()
response = api_client.get(api_routes.users_item_id(admin_user.user_id), headers=admin_user.token)
admin = response.json()
# admin updating themselves
tmp_user = admin.copy()
tmp_user["fullName"] = random_string()
response = api_client.put(api_routes.users_item_id(admin_user.user_id), json=tmp_user, headers=admin_user.token)
assert response.status_code == 200
# admin updating another user via the normal user route
tmp_user = user.copy()
tmp_user["fullName"] = random_string()
response = api_client.put(api_routes.users_item_id(unique_user.user_id), json=tmp_user, headers=admin_user.token)
assert response.status_code == 403
# admin updating their own permissions
permissions = ["canInvite", "canManage", "canManageHousehold", "canOrganize", "admin"]
for permission in permissions:
tmp_user = admin.copy()
tmp_user[permission] = not admin[permission]
response = api_client.put(api_routes.users_item_id(admin_user.user_id), json=tmp_user, headers=admin_user.token)
assert response.status_code == 403
Reference in New Issue View Git Blame Copy Permalink