mirror of
https://github.com/mealie-recipes/mealie.git
synced 2025-08-05 05:25:26 +02:00
API security hardening (#571)
* Enhance security and safety around user update API - Prevent a regular user from promoting themself to admin - Prevent an admin from demoting themself - Refactor token fixture to admin + regular user tokens * Restrict user CRUD API to admins * Secure admin API routes * Refactor APIrouter into Admin/UserAPIRouter * Secure theme routes * Make 'all recipes' routes public * Secure favorite routes * Remove redundant checks * Fix public routes mistakenly flagged user routes * Make webhooks changeable only by admin * Allow users to create categories and tags * Address lint issues
This commit is contained in:
sephrat
GitHub
parent
f5faff66d3
commit
6320ba7ec5
43 changed files with 456 additions and 347 deletions
|
|
@ -22,22 +22,22 @@ def chowdown_zip():
|
|||
zip_copy.unlink()
|
||||
|
||||
|
||||
def test_upload_chowdown_zip(api_client: TestClient, api_routes: AppRoutes, chowdown_zip: Path, token):
|
||||
def test_upload_chowdown_zip(api_client: TestClient, api_routes: AppRoutes, chowdown_zip: Path, admin_token):
|
||||
upload_url = api_routes.migrations_import_type_upload("chowdown")
|
||||
response = api_client.post(upload_url, files={"archive": chowdown_zip.open("rb")}, headers=token)
|
||||
response = api_client.post(upload_url, files={"archive": chowdown_zip.open("rb")}, headers=admin_token)
|
||||
|
||||
assert response.status_code == 200
|
||||
|
||||
assert app_dirs.MIGRATION_DIR.joinpath("chowdown", chowdown_zip.name).is_file()
|
||||
|
||||
|
||||
def test_import_chowdown_directory(api_client: TestClient, api_routes: AppRoutes, chowdown_zip: Path, token):
|
||||
def test_import_chowdown_directory(api_client: TestClient, api_routes: AppRoutes, chowdown_zip: Path, admin_token):
|
||||
delete_url = api_routes.recipes_recipe_slug("roasted-okra")
|
||||
api_client.delete(delete_url, headers=token) # TODO: Manage Test Data better
|
||||
api_client.delete(delete_url, headers=admin_token) # TODO: Manage Test Data better
|
||||
selection = chowdown_zip.name
|
||||
|
||||
import_url = api_routes.migrations_import_type_file_name_import("chowdown", selection)
|
||||
response = api_client.post(import_url, headers=token)
|
||||
response = api_client.post(import_url, headers=admin_token)
|
||||
|
||||
assert response.status_code == 200
|
||||
|
||||
|
|
@ -47,10 +47,10 @@ def test_import_chowdown_directory(api_client: TestClient, api_routes: AppRoutes
|
|||
assert report.get("status") is True
|
||||
|
||||
|
||||
def test_delete_chowdown_migration_data(api_client: TestClient, api_routes: AppRoutes, chowdown_zip: Path, token):
|
||||
def test_delete_chowdown_migration_data(api_client: TestClient, api_routes: AppRoutes, chowdown_zip: Path, admin_token):
|
||||
selection = chowdown_zip.name
|
||||
delete_url = api_routes.migrations_import_type_file_name_delete("chowdown", selection)
|
||||
response = api_client.delete(delete_url, headers=token)
|
||||
response = api_client.delete(delete_url, headers=admin_token)
|
||||
|
||||
assert response.status_code == 200
|
||||
assert not app_dirs.MIGRATION_DIR.joinpath(chowdown_zip.name).is_file()
|
||||
|
|
@ -70,19 +70,19 @@ def nextcloud_zip():
|
|||
zip_copy.unlink()
|
||||
|
||||
|
||||
def test_upload_nextcloud_zip(api_client: TestClient, api_routes: AppRoutes, nextcloud_zip, token):
|
||||
def test_upload_nextcloud_zip(api_client: TestClient, api_routes: AppRoutes, nextcloud_zip, admin_token):
|
||||
upload_url = api_routes.migrations_import_type_upload("nextcloud")
|
||||
response = api_client.post(upload_url, files={"archive": nextcloud_zip.open("rb")}, headers=token)
|
||||
response = api_client.post(upload_url, files={"archive": nextcloud_zip.open("rb")}, headers=admin_token)
|
||||
|
||||
assert response.status_code == 200
|
||||
|
||||
assert app_dirs.MIGRATION_DIR.joinpath("nextcloud", nextcloud_zip.name).is_file()
|
||||
|
||||
|
||||
def test_import_nextcloud_directory(api_client: TestClient, api_routes: AppRoutes, nextcloud_zip, token):
|
||||
def test_import_nextcloud_directory(api_client: TestClient, api_routes: AppRoutes, nextcloud_zip, admin_token):
|
||||
selection = nextcloud_zip.name
|
||||
import_url = api_routes.migrations_import_type_file_name_import("nextcloud", selection)
|
||||
response = api_client.post(import_url, headers=token)
|
||||
response = api_client.post(import_url, headers=admin_token)
|
||||
|
||||
assert response.status_code == 200
|
||||
|
||||
|
|
@ -91,10 +91,12 @@ def test_import_nextcloud_directory(api_client: TestClient, api_routes: AppRoute
|
|||
assert report.get("status") is True
|
||||
|
||||
|
||||
def test_delete__nextcloud_migration_data(api_client: TestClient, api_routes: AppRoutes, nextcloud_zip: Path, token):
|
||||
def test_delete__nextcloud_migration_data(
|
||||
api_client: TestClient, api_routes: AppRoutes, nextcloud_zip: Path, admin_token
|
||||
):
|
||||
selection = nextcloud_zip.name
|
||||
delete_url = api_routes.migrations_import_type_file_name_delete("nextcloud", selection)
|
||||
response = api_client.delete(delete_url, headers=token)
|
||||
response = api_client.delete(delete_url, headers=admin_token)
|
||||
|
||||
assert response.status_code == 200
|
||||
assert not app_dirs.MIGRATION_DIR.joinpath(nextcloud_zip.name).is_file()
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue