Docker/mealie
Docker/mealie
1
0
Fork 0
mirror of https://github.com/mealie-recipes/mealie.git synced 2025-08-05 05:25:26 +02:00
Code Issues Releases Activity

API security hardening (#571)

Browse source 
* Enhance security and safety around user update API

- Prevent a regular user from promoting themself to admin
- Prevent an admin from demoting themself
- Refactor token fixture to admin + regular user tokens

* Restrict user CRUD API to admins

* Secure admin API routes

* Refactor APIrouter into Admin/UserAPIRouter

* Secure theme routes

* Make 'all recipes' routes public

* Secure favorite routes

* Remove redundant checks

* Fix public routes mistakenly flagged user routes

* Make webhooks changeable only by admin

* Allow users to create categories and tags

* Address lint issues
This commit is contained in:
sephrat 2021-06-22 20:22:15 +02:00 committed by GitHub
parent f5faff66d3
commit 6320ba7ec5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
43 changed files with 456 additions and 347 deletions
Download patch file Download diff file Expand all files Collapse all files

16
tests/integration_tests/test_signup_routes.py
View file

@ -7,10 +7,10 @@ from tests.app_routes import AppRoutes
@pytest.fixture()
def active_link(api_client: TestClient, api_routes: AppRoutes, token):
def active_link(api_client: TestClient, api_routes: AppRoutes, admin_token):
data = {"name": "Fixture Token", "admin": True}
response = api_client.post(api_routes.users_sign_ups, json=data, headers=token)
response = api_client.post(api_routes.users_sign_ups, json=data, headers=admin_token)
return SignUpToken(**json.loads(response.text))
@ -26,10 +26,10 @@ def sign_up_user():
}
def test_create_sign_up_link(api_client: TestClient, api_routes: AppRoutes, token):
def test_create_sign_up_link(api_client: TestClient, api_routes: AppRoutes, admin_token):
data = {"name": "Test Token", "admin": False}
response = api_client.post(api_routes.users_sign_ups, json=data, headers=token)
response = api_client.post(api_routes.users_sign_ups, json=data, headers=admin_token)
assert response.status_code == 200
@ -47,11 +47,11 @@ def test_new_user_signup(api_client: TestClient, api_routes: AppRoutes, active_l
def test_delete_sign_up_link(
api_client: TestClient, api_routes: AppRoutes, token, active_link: SignUpToken, sign_up_user
api_client: TestClient, api_routes: AppRoutes, admin_token, active_link: SignUpToken, sign_up_user
):
response = api_client.delete(api_routes.users_sign_ups_token(active_link.token), headers=token)
response = api_client.delete(api_routes.users_sign_ups_token(active_link.token), headers=admin_token)
assert response.status_code == 200
# Validate Token is Gone
response = api_client.get(api_routes.users_sign_ups, headers=token)
# Validate admin_token is Gone
response = api_client.get(api_routes.users_sign_ups, headers=admin_token)
assert sign_up_user not in json.loads(response.content)