Mirrors/mealie
1
0
Fork 0
mirror of https://github.com/mealie-recipes/mealie.git synced 2025-11-02 02:03:20 -05:00
Code Issues Packages Projects Releases Wiki Activity

API security hardening (#571)

Browse Source 
* Enhance security and safety around user update API

- Prevent a regular user from promoting themself to admin
- Prevent an admin from demoting themself
- Refactor token fixture to admin + regular user tokens

* Restrict user CRUD API to admins

* Secure admin API routes

* Refactor APIrouter into Admin/UserAPIRouter

* Secure theme routes

* Make 'all recipes' routes public

* Secure favorite routes

* Remove redundant checks

* Fix public routes mistakenly flagged user routes

* Make webhooks changeable only by admin

* Allow users to create categories and tags

* Address lint issues
This commit is contained in:
sephrat
2021-06-22 20:22:15 +02:00
committed by GitHub
parent f5faff66d3
commit 6320ba7ec5
43 changed files with 456 additions and 347 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
tests/integration_tests/test_theme_routes.py
View File

@@ -28,38 +28,38 @@ def new_theme():
}
def test_default_theme(api_client: TestClient, api_routes: AppRoutes, default_theme):
response = api_client.get(api_routes.themes_id(1))
def test_default_theme(api_client: TestClient, api_routes: AppRoutes, default_theme, user_token):
response = api_client.get(api_routes.themes_id(1), headers=user_token)
assert response.status_code == 200
assert json.loads(response.content) == default_theme
def test_create_theme(api_client: TestClient, api_routes: AppRoutes, new_theme, token):
def test_create_theme(api_client: TestClient, api_routes: AppRoutes, new_theme, user_token):
response = api_client.post(api_routes.themes_create, json=new_theme, headers=token)
response = api_client.post(api_routes.themes_create, json=new_theme, headers=user_token)
assert response.status_code == 201
response = api_client.get(api_routes.themes_id(new_theme.get("id")), headers=token)
response = api_client.get(api_routes.themes_id(new_theme.get("id")), headers=user_token)
assert response.status_code == 200
assert json.loads(response.content) == new_theme
def test_read_all_themes(api_client: TestClient, api_routes: AppRoutes, default_theme, new_theme):
response = api_client.get(api_routes.themes)
def test_read_all_themes(api_client: TestClient, api_routes: AppRoutes, default_theme, new_theme, user_token):
response = api_client.get(api_routes.themes, headers=user_token)
assert response.status_code == 200
response_dict = json.loads(response.content)
assert default_theme in response_dict
assert new_theme in response_dict
def test_read_theme(api_client: TestClient, api_routes: AppRoutes, default_theme, new_theme):
def test_read_theme(api_client: TestClient, api_routes: AppRoutes, default_theme, new_theme, user_token):
for theme in [default_theme, new_theme]:
response = api_client.get(api_routes.themes_id(theme.get("id")))
response = api_client.get(api_routes.themes_id(theme.get("id")), headers=user_token)
assert response.status_code == 200
assert json.loads(response.content) == theme
def test_update_theme(api_client: TestClient, api_routes: AppRoutes, token, new_theme):
def test_update_theme(api_client: TestClient, api_routes: AppRoutes, user_token, new_theme):
theme_colors = {
"primary": "#E12345",
"accent": "#012345",
@@ -72,14 +72,14 @@ def test_update_theme(api_client: TestClient, api_routes: AppRoutes, token, new_
new_theme["colors"] = theme_colors
new_theme["name"] = "New Theme Name"
response = api_client.put(api_routes.themes_id(new_theme.get("id")), json=new_theme, headers=token)
response = api_client.put(api_routes.themes_id(new_theme.get("id")), json=new_theme, headers=user_token)
assert response.status_code == 200
response = api_client.get(api_routes.themes_id(new_theme.get("id")))
response = api_client.get(api_routes.themes_id(new_theme.get("id")), headers=user_token)
assert json.loads(response.content) == new_theme
def test_delete_theme(api_client: TestClient, api_routes: AppRoutes, default_theme, new_theme, token):
def test_delete_theme(api_client: TestClient, api_routes: AppRoutes, default_theme, new_theme, user_token):
for theme in [default_theme, new_theme]:
response = api_client.delete(api_routes.themes_id(theme.get("id")), headers=token)
response = api_client.delete(api_routes.themes_id(theme.get("id")), headers=user_token)
assert response.status_code == 200