fix: allow admin users to delete other household recipes (#5767)

Co-authored-by: Michael Genson <71845777+michael-genson@users.noreply.github.com>
2025-08-10 07:55:23 +02:00 · 2025-07-30 00:46:23 +02:00 · 2025-07-30 00:46:23 +02:00 · 5f522b5324
commit 5f522b5324
parent bd0aed06ce
6 changed files with 128 additions and 12 deletions
--- a/tests/integration_tests/user_recipe_tests/test_recipe_cross_household.py
+++ b/tests/integration_tests/user_recipe_tests/test_recipe_cross_household.py
@ -215,6 +215,42 @@ def test_delete_recipes_from_other_households(
        assert response.status_code == 404


+@pytest.mark.parametrize("is_private_household", [True, False])
+@pytest.mark.parametrize("household_lock_recipe_edits", [True, False])
+def test_admin_delete_recipes_from_other_households(
+    api_client: TestClient,
+    unique_admin: TestUser,
+    h2_user: TestUser,
+    is_private_household: bool,
+    household_lock_recipe_edits: bool,
+):
+    household = h2_user.repos.households.get_one(h2_user.household_id)
+    assert household and household.preferences
+    household.preferences.private_household = is_private_household
+    household.preferences.lock_recipe_edits_from_other_households = household_lock_recipe_edits
+    h2_user.repos.household_preferences.update(household.id, household.preferences)
+
+    response = api_client.post(api_routes.recipes, json={"name": random_string()}, headers=h2_user.token)
+    assert response.status_code == 201
+    h2_recipe = h2_user.repos.recipes.get_one(response.json())
+    assert h2_recipe and h2_recipe.id
+    h2_recipe_id = str(h2_recipe.id)
+
+    response = api_client.get(api_routes.recipes_slug(h2_recipe_id), headers=unique_admin.token)
+    assert response.status_code == 200
+    recipe_json = response.json()
+    assert recipe_json["id"] == h2_recipe_id
+
+    # Admin users should always be able to delete recipes from other households
+    # regardless of household_lock_recipe_edits setting
+    response = api_client.delete(api_routes.recipes_slug(recipe_json["slug"]), headers=unique_admin.token)
+    assert response.status_code == 200
+
+    # confirm the recipe was deleted
+    response = api_client.get(api_routes.recipes_slug(h2_recipe_id), headers=unique_admin.token)
+    assert response.status_code == 404
+
+
@pytest.mark.parametrize("is_private_household", [True, False])
@pytest.mark.parametrize("household_lock_recipe_edits", [True, False])
 def test_user_can_update_last_made_on_other_household(
--- a/tests/integration_tests/user_recipe_tests/test_recipe_owner.py
+++ b/tests/integration_tests/user_recipe_tests/test_recipe_owner.py
@ -1,7 +1,11 @@
 from datetime import UTC, datetime
+from uuid import UUID

 from fastapi.testclient import TestClient

+from mealie.repos.repository_factory import AllRepositories
+from mealie.schema.recipe.recipe import Recipe
+from mealie.schema.recipe.recipe_settings import RecipeSettings
 from tests.utils import api_routes
 from tests.utils.factories import random_string
 from tests.utils.fixture_schemas import TestUser
@ -135,3 +139,44 @@ def test_other_user_cant_lock_recipe(api_client: TestClient, user_tuple: list[Te
    recipe["settings"]["locked"] = True
    response = api_client.put(api_routes.recipes + f"/{recipe_name}", json=recipe, headers=usr_2.token)
    assert response.status_code == 403
+
+
+def test_other_user_cant_delete_recipe(api_client: TestClient, user_tuple: list[TestUser]):
+    slug = random_string(10)
+    unique_user, other_user = user_tuple
+
+    unique_user.repos.recipes.create(
+        Recipe(
+            user_id=unique_user.user_id,
+            group_id=unique_user.group_id,
+            name=slug,
+            settings=RecipeSettings(locked=True),
+        )
+    )
+
+    response = api_client.delete(api_routes.recipes_slug(slug), headers=other_user.token)
+    assert response.status_code == 403
+
+
+def test_admin_can_delete_locked_recipe_owned_by_another_user(
+    api_client: TestClient, unfiltered_database: AllRepositories, unique_user: TestUser, admin_user: TestUser
+):
+    slug = random_string(10)
+    unique_user.repos.recipes.create(
+        Recipe(
+            user_id=unique_user.user_id,
+            group_id=unique_user.group_id,
+            name=slug,
+            settings=RecipeSettings(locked=True),
+        )
+    )
+
+    # Make sure admin belongs to same group/household as user
+    admin_data = unfiltered_database.users.get_one(admin_user.user_id)
+    assert admin_data
+    admin_data.group_id = UUID(unique_user.group_id)
+    admin_data.household_id = UUID(unique_user.household_id)
+    unfiltered_database.users.update(admin_user.user_id, admin_data)
+
+    response = api_client.delete(api_routes.recipes_slug(slug), headers=admin_user.token)
+    assert response.status_code == 200