fix: prevent recipe sharing from different group (#4929)

2025-12-29 05:25:30 -05:00 · 2025-01-22 16:51:29 +01:00
parent c74ba0eca1
commit 8cd2da0abb
2 changed files with 15 additions and 0 deletions
--- a/mealie/routes/shared/init.py
+++ b/mealie/routes/shared/init.py
@@ -1,5 +1,6 @@
 from functools import cached_property

+from fastapi import HTTPException
 from pydantic import UUID4

 from mealie.routes._base import BaseUserController, controller
@@ -30,6 +31,11 @@ class RecipeSharedController(BaseUserController):

    @router.post("", response_model=RecipeShareToken, status_code=201)
    def create_one(self, data: RecipeShareTokenCreate) -> RecipeShareToken:
+        # check if recipe group id is the same as the user group id
+        recipe = self.repos.recipes.get_one(data.recipe_id, "id")
+        if recipe is None or recipe.group_id != self.group_id:
+            raise HTTPException(status_code=404, detail="Recipe not found in your group")
+
        save_data = RecipeShareTokenSave(**data.model_dump(), group_id=self.group_id)
        return self.mixins.create_one(save_data)