fix: prevent recipe sharing from different group (#4929)

mealie/routes/shared/__init__.py

@@ -1,5 +1,6 @@
 from functools import cached_property
 
+from fastapi import HTTPException
 from pydantic import UUID4
 
 from mealie.routes._base import BaseUserController, controller
@@ -30,6 +31,11 @@ class RecipeSharedController(BaseUserController):
 
     @router.post("", response_model=RecipeShareToken, status_code=201)
     def create_one(self, data: RecipeShareTokenCreate) -> RecipeShareToken:
+        # check if recipe group id is the same as the user group id
+        recipe = self.repos.recipes.get_one(data.recipe_id, "id")
+        if recipe is None or recipe.group_id != self.group_id:
+            raise HTTPException(status_code=404, detail="Recipe not found in your group")
+
         save_data = RecipeShareTokenSave(**data.model_dump(), group_id=self.group_id)
         return self.mixins.create_one(save_data)
 

tests/integration_tests/user_recipe_tests/test_recipe_share_tokens.py

@@ -110,3 +110,12 @@ def test_recipe_share_tokens_delete_one(api_client: TestClient, unique_user: Tes
     token = database.recipe_share_tokens.get_one(token.id)
 
     assert token is None
+
+
+def test_share_recipe_from_different_group(api_client: TestClient, unique_user: TestUser, g2_user: TestUser, slug: str):
+    database = unique_user.repos
+    recipe = database.recipes.get_one(slug)
+    assert recipe
+
+    response = api_client.post(api_routes.shared_recipes, json={"recipeId": str(recipe.id)}, headers=g2_user.token)
+    assert response.status_code == 404