fix: prevent users from updating their own household privileges (#4928)

Co-authored-by: Michael Genson <71845777+michael-genson@users.noreply.github.com>
2025-07-24 07:39:41 +02:00 · 2025-01-22 17:06:41 +01:00 · 2025-01-22 17:06:41 +01:00 · bf616f9db5
commit bf616f9db5
parent 8cd2da0abb
7 changed files with 133 additions and 28 deletions
--- a/tests/integration_tests/user_tests/test_user_crud.py
+++ b/tests/integration_tests/user_tests/test_user_crud.py
@ -1,8 +1,9 @@
 import pytest
 from fastapi.testclient import TestClient

-from tests.utils import TestUser, api_routes
+from tests.utils import api_routes
 from tests.utils.factories import random_email, random_int, random_string
+from tests.utils.fixture_schemas import TestUser


@pytest.mark.parametrize("use_admin_user", [True, False])
@ -43,3 +44,71 @@ def test_get_all_users_admin(request: pytest.FixtureRequest, api_client: TestCli
    response_user_ids = {user["id"] for user in response.json()["items"]}
    for user_id in user_ids:
        assert user_id in response_user_ids
+
+
+def test_user_update(api_client: TestClient, unique_user: TestUser, admin_user: TestUser):
+    response = api_client.get(api_routes.users_self, headers=unique_user.token)
+    user = response.json()
+
+    # valid request without updates
+    response = api_client.put(api_routes.users_item_id(unique_user.user_id), json=user, headers=unique_user.token)
+    assert response.status_code == 200
+
+    # valid request with updates
+    tmp_user = user.copy()
+    tmp_user["email"] = random_email()
+    tmp_user["full_name"] = random_string()
+    response = api_client.put(api_routes.users_item_id(unique_user.user_id), json=tmp_user, headers=unique_user.token)
+    assert response.status_code == 200
+
+    # test user attempting to update another user
+    form = {"email": admin_user.email, "full_name": admin_user.full_name}
+    response = api_client.put(api_routes.users_item_id(admin_user.user_id), json=form, headers=unique_user.token)
+    assert response.status_code == 403
+
+    # test user attempting permission changes
+    permissions = ["canInvite", "canManage", "canManageHousehold", "canOrganize", "advanced", "admin"]
+    for permission in permissions:
+        tmp_user = user.copy()
+        tmp_user[permission] = not user[permission]
+        response = api_client.put(api_routes.users_item_id(unique_user.user_id), json=form, headers=unique_user.token)
+        assert response.status_code == 403
+
+    # test user attempting to change group
+    tmp_user = user.copy()
+    tmp_user["group"] = random_string()
+    response = api_client.put(api_routes.users_item_id(unique_user.user_id), json=tmp_user, headers=unique_user.token)
+    assert response.status_code == 403
+
+    # test user attempting to change household
+    tmp_user = user.copy()
+    tmp_user["household"] = random_string()
+    response = api_client.put(api_routes.users_item_id(unique_user.user_id), json=tmp_user, headers=unique_user.token)
+    assert response.status_code == 403
+
+
+def test_admin_updates(api_client: TestClient, admin_user: TestUser, unique_user: TestUser):
+    response = api_client.get(api_routes.users_item_id(unique_user.user_id), headers=admin_user.token)
+    user = response.json()
+    response = api_client.get(api_routes.users_item_id(admin_user.user_id), headers=admin_user.token)
+    admin = response.json()
+
+    # admin updating themselves
+    tmp_user = admin.copy()
+    tmp_user["fullName"] = random_string()
+    response = api_client.put(api_routes.users_item_id(admin_user.user_id), json=tmp_user, headers=admin_user.token)
+    assert response.status_code == 200
+
+    # admin updating another user via the normal user route
+    tmp_user = user.copy()
+    tmp_user["fullName"] = random_string()
+    response = api_client.put(api_routes.users_item_id(unique_user.user_id), json=tmp_user, headers=admin_user.token)
+    assert response.status_code == 403
+
+    # admin updating their own permissions
+    permissions = ["canInvite", "canManage", "canManageHousehold", "canOrganize", "admin"]
+    for permission in permissions:
+        tmp_user = admin.copy()
+        tmp_user[permission] = not admin[permission]
+        response = api_client.put(api_routes.users_item_id(admin_user.user_id), json=tmp_user, headers=admin_user.token)
+        assert response.status_code == 403