Mirrors/mealie
1
0
Fork 0
mirror of https://github.com/mealie-recipes/mealie.git synced 2026-05-15 22:37:32 -04:00
Code Issues Packages Projects Releases Wiki Activity

protect order_by too

Browse Source
This commit is contained in:
Michael Genson
2026-05-14 19:22:31 +00:00
parent 140bd75412
commit 3e2a60ad14
2 changed files with 19 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
tests/unit_tests/repository_tests/test_query_filter_builder.py
View File

@@ -153,3 +153,20 @@ def test_filter_query_respects_context_var_true():
builder = QueryFilterBuilder("user.email = 'test@example.com'")
# Should not raise
builder.filter_query(query, RecipeModel)
# ---------------------------------------------------------------------------
# orderBy restricted traversal tests
# ---------------------------------------------------------------------------
def test_order_by_restricted_traversal_blocked():
"""get_model_and_model_attr_from_attr_string with allow_restricted=False blocks orderBy into User."""
with pytest.raises(ValueError, match="restricted model"):
QueryFilterBuilder.get_model_and_model_attr_from_attr_string("user.email", RecipeModel, allow_restricted=False)
def test_order_by_private_field_blocked():
"""Ordering by a PrivateColumn field should always raise, regardless of allow_restricted."""
with pytest.raises(ValueError, match="private field"):
QueryFilterBuilder.get_model_and_model_attr_from_attr_string("password", User, allow_restricted=True)