Mirrors/mealie
1
0
Fork 0
mirror of https://github.com/mealie-recipes/mealie.git synced 2025-10-27 08:14:30 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
d67240d4496941a5f35dcae2e81f301a6335ed80
mealie/tests/integration_tests/test_custom_page_routes.py
sephrat 6320ba7ec5 API security hardening (#571) 
* Enhance security and safety around user update API

- Prevent a regular user from promoting themself to admin
- Prevent an admin from demoting themself
- Refactor token fixture to admin + regular user tokens

* Restrict user CRUD API to admins

* Secure admin API routes

* Refactor APIrouter into Admin/UserAPIRouter

* Secure theme routes

* Make 'all recipes' routes public

* Secure favorite routes

* Remove redundant checks

* Fix public routes mistakenly flagged user routes

* Make webhooks changeable only by admin

* Allow users to create categories and tags

* Address lint issues
2021-06-22 10:22:15 -08:00

44 lines
1.3 KiB
Python
Raw Blame History

import json
import pytest
from fastapi.testclient import TestClient
from tests.app_routes import AppRoutes
@pytest.fixture()
def page_data():
return {"name": "My New Page", "position": 0, "categories": []}
def test_create_page(api_client: TestClient, api_routes: AppRoutes, admin_token, page_data):
response = api_client.post(api_routes.site_settings_custom_pages, json=page_data, headers=admin_token)
assert response.status_code == 200
def test_read_page(api_client: TestClient, api_routes: AppRoutes, page_data):
response = api_client.get(api_routes.site_settings_custom_pages_id(1))
page_data["id"] = 1
page_data["slug"] = "my-new-page"
assert json.loads(response.text) == page_data
def test_update_page(api_client: TestClient, api_routes: AppRoutes, page_data, admin_token):
page_data["id"] = 1
page_data["name"] = "My New Name"
response = api_client.put(api_routes.site_settings_custom_pages_id(1), json=page_data, headers=admin_token)
assert response.status_code == 200
def test_delete_page(api_client: TestClient, api_routes: AppRoutes, admin_token):
response = api_client.delete(api_routes.site_settings_custom_pages_id(1), headers=admin_token)
assert response.status_code == 200
response = api_client.get(api_routes.site_settings_custom_pages_id(1))
assert json.loads(response.text) is None
Reference in New Issue View Git Blame Copy Permalink