fix: Prevent Users From Being Created With Missing Group/Household (#4500)

2025-07-25 08:09:41 +02:00 · 2024-11-05 17:52:33 -06:00 · 2024-11-05 17:52:33 -06:00 · 0fed5f54f6
commit 0fed5f54f6
parent f4bde93960
3 changed files with 92 additions and 1 deletions
--- a/tests/unit_tests/test_security.py
+++ b/tests/unit_tests/test_security.py
@ -1,6 +1,7 @@
 from pathlib import Path

 import ldap
+import pytest
 from pytest import MonkeyPatch

 from mealie.core import security
@ -13,6 +14,7 @@ from mealie.core.security.providers.credentials_provider import (
 from mealie.core.security.providers.ldap_provider import LDAPProvider
 from mealie.db.db_setup import session_context
 from mealie.db.models.users.users import AuthMethod
+from mealie.repos.repository_factory import AllRepositories
 from mealie.schema.user.auth import CredentialsRequestForm
 from mealie.schema.user.user import PrivateUser
 from tests.utils import random_string
@ -92,7 +94,7 @@ class LdapConnMock:
        pass


-def setup_env(monkeypatch: MonkeyPatch):
+def setup_env(monkeypatch: MonkeyPatch, **kwargs):
    user = random_string(10)
    mail = random_string(10)
    name = random_string(10)
@ -140,11 +142,55 @@ def test_ldap_user_creation(monkeypatch: MonkeyPatch):
        provider = get_provider(session, user, password)
        result = provider.get_user()

+    app_settings = get_app_settings()
+
    assert result
    assert result.username == user
    assert result.email == mail
    assert result.full_name == name
    assert result.admin is False
+    assert result.group == app_settings.DEFAULT_GROUP
+    assert result.household == app_settings.DEFAULT_HOUSEHOLD
+    assert result.auth_method == AuthMethod.LDAP
+
+
+@pytest.mark.parametrize("valid_group", [True, False])
+@pytest.mark.parametrize("valid_household", [True, False])
+def test_ldap_user_creation_invalid_group_or_household(
+    unfiltered_database: AllRepositories, monkeypatch: MonkeyPatch, valid_group: bool, valid_household: bool
+):
+    user, mail, name, password, query_bind, query_password = setup_env(monkeypatch)
+    if not valid_group:
+        monkeypatch.setenv("DEFAULT_GROUP", random_string())
+    if not valid_household:
+        monkeypatch.setenv("DEFAULT_HOUSEHOLD", random_string())
+
+    def ldap_initialize_mock(url):
+        assert url == ""
+        return LdapConnMock(user, password, False, query_bind, query_password, mail, name)
+
+    monkeypatch.setattr(ldap, "initialize", ldap_initialize_mock)
+
+    get_app_settings.cache_clear()
+
+    with session_context() as session:
+        provider = get_provider(session, user, password)
+        try:
+            result = provider.get_user()
+        except ValueError:
+            result = None
+
+    if valid_group and valid_household:
+        assert result
+    else:
+        assert not result
+
+    # check if the user exists in the db
+    user = unfiltered_database.users.get_by_username(user)
+    if valid_group and valid_household:
+        assert user
+    else:
+        assert not user


 def test_ldap_user_creation_fail(monkeypatch: MonkeyPatch):