diff --git a/ihatemoney/tests/tests.py b/ihatemoney/tests/tests.py index 510c437db..cecc4b083 100644 --- a/ihatemoney/tests/tests.py +++ b/ihatemoney/tests/tests.py @@ -1442,6 +1442,131 @@ def test_import_wrong_json(self): else: self.fail("ExpectedException not raised") + def test_access_other_projects(self): + """Test that accessing or editing bills and members from another project fails + """ + # Create project + self.post_project("raclette") + + # Add members + self.client.post("/raclette/members/add", data={"name": "zorglub", "weight": 2}) + self.client.post("/raclette/members/add", data={"name": "fred"}) + self.client.post("/raclette/members/add", data={"name": "tata"}) + self.client.post("/raclette/members/add", data={"name": "pépé"}) + + # Create bill + self.client.post( + "/raclette/add", + data={ + "date": "2016-12-31", + "what": "fromage à raclette", + "payer": 1, + "payed_for": [1, 2, 3, 4], + "amount": "10.0", + }, + ) + # Ensure it has been created + raclette = models.Project.query.get("raclette") + self.assertEqual(raclette.get_bills().count(), 1) + + # Log out + self.client.get("/exit") + + # Create and log in as another project + self.post_project("tartiflette") + + modified_bill = { + "date": "2018-12-31", + "what": "roblochon", + "payer": 2, + "payed_for": [1, 3, 4], + "amount": "100.0", + } + # Try to access bill of another project + resp = self.client.get("/raclette/edit/1") + self.assertStatus(303, resp) + # Try to access bill of another project by ID + resp = self.client.get("/tartiflette/edit/1") + self.assertStatus(404, resp) + # Try to edit bill + resp = self.client.post("/raclette/edit/1", data=modified_bill) + self.assertStatus(303, resp) + # Try to edit bill by ID + resp = self.client.post("/tartiflette/edit/1", data=modified_bill) + self.assertStatus(404, resp) + # Try to delete bill + resp = self.client.get("/raclette/delete/1") + self.assertStatus(303, resp) + # Try to delete bill by ID + resp = self.client.get("/tartiflette/delete/1") + self.assertStatus(302, resp) + + # Additional check that the bill was indeed not modified or deleted + bill = models.Bill.query.filter(models.Bill.id == 1).one() + self.assertEqual(bill.what, "fromage à raclette") + + # Use the correct credentials to modify and delete the bill. + # This ensures that modifying and deleting the bill can actually work + + self.client.get("/exit") + self.client.post( + "/authenticate", data={"id": "raclette", "password": "raclette"} + ) + self.client.post("/raclette/edit/1", data=modified_bill) + bill = models.Bill.query.filter(models.Bill.id == 1).one_or_none() + self.assertNotEqual(bill, None, "bill not found") + self.assertEqual(bill.what, "roblochon") + self.client.get("/raclette/delete/1") + bill = models.Bill.query.filter(models.Bill.id == 1).one_or_none() + self.assertEqual(bill, None) + + # Switch back to the second project + self.client.get("/exit") + self.client.post( + "/authenticate", data={"id": "tartiflette", "password": "tartiflette"} + ) + modified_member = { + "name": "bulgroz", + "weight": 42, + } + # Try to access member from another project + resp = self.client.get("/raclette/members/1/edit") + self.assertStatus(303, resp) + # Try to access member by ID + resp = self.client.get("/tartiflette/members/1/edit") + self.assertStatus(404, resp) + # Try to edit member + resp = self.client.post("/raclette/members/1/edit", data=modified_member) + self.assertStatus(303, resp) + # Try to edit member by ID + resp = self.client.post("/tartiflette/members/1/edit", data=modified_member) + self.assertStatus(404, resp) + # Try to delete member + resp = self.client.post("/raclette/members/1/delete") + self.assertStatus(303, resp) + # Try to delete member by ID + resp = self.client.post("/tartiflette/members/1/delete") + self.assertStatus(302, resp) + + # Additional check that the member was indeed not modified or deleted + member = models.Person.query.filter(models.Person.id == 1).one_or_none() + self.assertNotEqual(member, None, "member not found") + self.assertEqual(member.name, "zorglub") + self.assertTrue(member.activated) + + # Use the correct credentials to modify and delete the member. + # This ensures that modifying and deleting the member can actually work + self.client.get("/exit") + self.client.post( + "/authenticate", data={"id": "raclette", "password": "raclette"} + ) + self.client.post("/raclette/members/1/edit", data=modified_member) + member = models.Person.query.filter(models.Person.id == 1).one() + self.assertEqual(member.name, "bulgroz") + self.client.post("/raclette/members/1/delete") + member = models.Person.query.filter(models.Person.id == 1).one_or_none() + self.assertEqual(member, None) + class APITestCase(IhatemoneyTestCase): @@ -2973,131 +3098,6 @@ def test_double_bill_double_person_edit_second_no_web(self): self.assertNotIn("owers", entry["prop_changed"]) self.assertEqual(len(history_list), 6) - def test_access_other_projects(self): - """Test that accessing or editing bills and members from another project fails - """ - # Create project - self.post_project("raclette") - - # Add members - self.client.post("/raclette/members/add", data={"name": "zorglub", "weight": 2}) - self.client.post("/raclette/members/add", data={"name": "fred"}) - self.client.post("/raclette/members/add", data={"name": "tata"}) - self.client.post("/raclette/members/add", data={"name": "pépé"}) - - # Create bill - self.client.post( - "/raclette/add", - data={ - "date": "2016-12-31", - "what": "fromage à raclette", - "payer": 1, - "payed_for": [1, 2, 3, 4], - "amount": "10.0", - }, - ) - # Ensure it has been created - raclette = models.Project.query.get("raclette") - self.assertEqual(raclette.get_bills().count(), 1) - - # Log out - self.client.get("/exit") - - # Create and log in as another project - self.post_project("tartiflette") - - modified_bill = { - "date": "2018-12-31", - "what": "roblochon", - "payer": 2, - "payed_for": [1, 3, 4], - "amount": "100.0", - } - # Try to access bill of another project - resp = self.client.get("/raclette/edit/1") - self.assertStatus(303, resp) - # Try to access bill of another project by ID - resp = self.client.get("/tartiflette/edit/1") - self.assertStatus(404, resp) - # Try to edit bill - resp = self.client.post("/raclette/edit/1", data=modified_bill) - self.assertStatus(303, resp) - # Try to edit bill by ID - resp = self.client.post("/tartiflette/edit/1", data=modified_bill) - self.assertStatus(404, resp) - # Try to delete bill - resp = self.client.get("/raclette/delete/1") - self.assertStatus(303, resp) - # Try to delete bill by ID - resp = self.client.get("/tartiflette/delete/1") - self.assertStatus(302, resp) - - # Additional check that the bill was indeed not modified or deleted - bill = models.Bill.query.filter(models.Bill.id == 1).one() - self.assertEqual(bill.what, "fromage à raclette") - - # Use the correct credentials to modify and delete the bill. - # This ensures that modifying and deleting the bill can actually work - - self.client.get("/exit") - self.client.post( - "/authenticate", data={"id": "raclette", "password": "raclette"} - ) - self.client.post("/raclette/edit/1", data=modified_bill) - bill = models.Bill.query.filter(models.Bill.id == 1).one_or_none() - self.assertNotEqual(bill, None, "bill not found") - self.assertEqual(bill.what, "roblochon") - self.client.get("/raclette/delete/1") - bill = models.Bill.query.filter(models.Bill.id == 1).one_or_none() - self.assertEqual(bill, None) - - # Switch back to the second project - self.client.get("/exit") - self.client.post( - "/authenticate", data={"id": "tartiflette", "password": "tartiflette"} - ) - modified_member = { - "name": "bulgroz", - "weight": 42, - } - # Try to access member from another project - resp = self.client.get("/raclette/members/1/edit") - self.assertStatus(303, resp) - # Try to access member by ID - resp = self.client.get("/tartiflette/members/1/edit") - self.assertStatus(404, resp) - # Try to edit member - resp = self.client.post("/raclette/members/1/edit", data=modified_member) - self.assertStatus(303, resp) - # Try to edit member by ID - resp = self.client.post("/tartiflette/members/1/edit", data=modified_member) - self.assertStatus(404, resp) - # Try to delete member - resp = self.client.post("/raclette/members/1/delete") - self.assertStatus(303, resp) - # Try to delete member by ID - resp = self.client.post("/tartiflette/members/1/delete") - self.assertStatus(302, resp) - - # Additional check that the member was indeed not modified or deleted - member = models.Person.query.filter(models.Person.id == 1).one_or_none() - self.assertNotEqual(member, None, "member not found") - self.assertEqual(member.name, "zorglub") - self.assertTrue(member.activated) - - # Use the correct credentials to modify and delete the member. - # This ensures that modifying and deleting the member can actually work - self.client.get("/exit") - self.client.post( - "/authenticate", data={"id": "raclette", "password": "raclette"} - ) - self.client.post("/raclette/members/1/edit", data=modified_member) - member = models.Person.query.filter(models.Person.id == 1).one() - self.assertEqual(member.name, "bulgroz") - self.client.post("/raclette/members/1/delete") - member = models.Person.query.filter(models.Person.id == 1).one_or_none() - self.assertEqual(member, None) - class TestCurrencyConverter(unittest.TestCase): converter = CurrencyConverter()