fix: prevent users from updating their own household privileges (#4928)

Co-authored-by: Michael Genson <71845777+michael-genson@users.noreply.github.com>
2025-08-01 19:45:22 +02:00 · 2025-01-22 17:06:41 +01:00 · 2025-01-22 17:06:41 +01:00 · bf616f9db5
commit bf616f9db5
parent 8cd2da0abb
7 changed files with 133 additions and 28 deletions
--- a/tests/integration_tests/user_household_tests/test_household_permissions.py
+++ b/tests/integration_tests/user_household_tests/test_household_permissions.py
@ -86,3 +86,16 @@ def test_set_member_permissions_no_user(
    payload = get_permissions_payload(str(uuid4()))
    response = api_client.put(api_routes.households_permissions, json=payload, headers=unique_user.token)
    assert response.status_code == 404
+
+
+def test_set_own_permissions(api_client: TestClient, unique_user: TestUser):
+    database = unique_user.repos
+
+    user = database.users.get_one(unique_user.user_id)
+    assert user
+    user.can_manage = True
+    database.users.update(user.id, user)
+
+    form = {"user_id": str(unique_user.user_id), "canOrganize": not user.can_organize}
+    response = api_client.put(api_routes.households_permissions, json=form, headers=unique_user.token)
+    assert response.status_code == 403