Docker/mealie
Docker/mealie
1
0
Fork 0
mirror of https://github.com/mealie-recipes/mealie.git synced 2025-07-24 15:49:42 +02:00
Code Issues Releases Activity

fix: prevent recipe sharing from different group (#4929)

Browse source
This commit is contained in:
Kuchenpirat 2025-01-22 16:51:29 +01:00 committed by GitHub
parent c74ba0eca1
commit 8cd2da0abb
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 15 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
mealie/routes/shared/__init__.py
View file

@ -1,5 +1,6 @@
from functools import cached_property
from fastapi import HTTPException
from pydantic import UUID4
from mealie.routes._base import BaseUserController, controller
@ -30,6 +31,11 @@ class RecipeSharedController(BaseUserController):
@router.post("", response_model=RecipeShareToken, status_code=201)
def create_one(self, data: RecipeShareTokenCreate) -> RecipeShareToken:
# check if recipe group id is the same as the user group id
recipe = self.repos.recipes.get_one(data.recipe_id, "id")
if recipe is None or recipe.group_id != self.group_id:
raise HTTPException(status_code=404, detail="Recipe not found in your group")
save_data = RecipeShareTokenSave(**data.model_dump(), group_id=self.group_id)
return self.mixins.create_one(save_data)

9
tests/integration_tests/user_recipe_tests/test_recipe_share_tokens.py
View file

@ -110,3 +110,12 @@ def test_recipe_share_tokens_delete_one(api_client: TestClient, unique_user: Tes
token = database.recipe_share_tokens.get_one(token.id)
assert token is None
def test_share_recipe_from_different_group(api_client: TestClient, unique_user: TestUser, g2_user: TestUser, slug: str):
database = unique_user.repos
recipe = database.recipes.get_one(slug)
assert recipe
response = api_client.post(api_routes.shared_recipes, json={"recipeId": str(recipe.id)}, headers=g2_user.token)
assert response.status_code == 404