Mirrors/mealie
1
0
Fork 0
mirror of https://github.com/mealie-recipes/mealie.git synced 2025-10-30 17:53:31 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
17b2e37e4e9c14969e41a5a7f93ef11f6d83dd1c
mealie/tests/integration_tests/test_group_routes.py
sephrat 6320ba7ec5 API security hardening (#571) 
* Enhance security and safety around user update API

- Prevent a regular user from promoting themself to admin
- Prevent an admin from demoting themself
- Refactor token fixture to admin + regular user tokens

* Restrict user CRUD API to admins

* Secure admin API routes

* Refactor APIrouter into Admin/UserAPIRouter

* Secure theme routes

* Make 'all recipes' routes public

* Secure favorite routes

* Remove redundant checks

* Fix public routes mistakenly flagged user routes

* Make webhooks changeable only by admin

* Allow users to create categories and tags

* Address lint issues
2021-06-22 10:22:15 -08:00

59 lines
1.7 KiB
Python
Raw Blame History

import json
import pytest
from fastapi.testclient import TestClient
from tests.app_routes import AppRoutes
@pytest.fixture
def group_data():
return {"name": "Test Group"}
def test_create_group(api_client: TestClient, api_routes: AppRoutes, admin_token):
response = api_client.post(api_routes.groups, json={"name": "Test Group"}, headers=admin_token)
assert response.status_code == 201
def test_get_self_group(api_client: TestClient, api_routes: AppRoutes, admin_token):
response = api_client.get(api_routes.groups, headers=admin_token)
assert response.status_code == 200
assert len(json.loads(response.text)) >= 2
def test_update_group(api_client: TestClient, api_routes: AppRoutes, admin_token):
new_data = {
"name": "New Group Name",
"id": 2,
"categories": [],
"webhookUrls": [],
"webhookTime": "00:00",
"webhookEnable": False,
"users": [],
"mealplans": [],
"shoppingLists": [],
}
# Test Update
response = api_client.put(api_routes.groups_id(2), json=new_data, headers=admin_token)
assert response.status_code == 200
# Validate Changes
response = api_client.get(api_routes.groups, headers=admin_token)
all_groups = json.loads(response.text)
id_2 = filter(lambda x: x["id"] == 2, all_groups)
assert next(id_2) == new_data
def test_home_group_not_deletable(api_client: TestClient, api_routes: AppRoutes, admin_token):
response = api_client.delete(api_routes.groups_id(1), headers=admin_token)
assert response.status_code == 400
def test_delete_group(api_client: TestClient, api_routes: AppRoutes, admin_token):
response = api_client.delete(api_routes.groups_id(2), headers=admin_token)
assert response.status_code == 200
Reference in New Issue View Git Blame Copy Permalink