From 01d515c07f2dd042fb64735e050889a9b45d239b Mon Sep 17 00:00:00 2001
From: Baptiste Jonglez <git@bitsofnetworks.org>
Date: Sun, 31 Mar 2024 19:50:29 +0200
Subject: [PATCH] Add security-related test to the new settle endpoint

---
 ihatemoney/tests/budget_test.py | 18 ++++++++++++++++++
 ihatemoney/web.py               |  1 +
 2 files changed, 19 insertions(+)

diff --git a/ihatemoney/tests/budget_test.py b/ihatemoney/tests/budget_test.py
index 578ffa5bd..03f089915 100644
--- a/ihatemoney/tests/budget_test.py
+++ b/ihatemoney/tests/budget_test.py
@@ -1630,6 +1630,24 @@ def test_access_other_projects(self):
         member = models.Person.query.filter(models.Person.id == 1).one_or_none()
         assert member is None
 
+        # test new settle endpoint to add bills with wrong payer / payed_for
+        self.client.post("/exit")
+        self.client.post(
+            "/authenticate", data={"id": "tartiflette", "password": "tartiflette"}
+        )
+        self.client.post(
+            "/tartiflette/settle",
+            data={
+                "sender_id": 4,
+                "receiver_id": 5,
+                "amount": "42.0",
+            },
+        )
+        piratebill = models.Bill.query.filter(
+            models.Bill.bill_type == models.BillType.REIMBURSEMENT
+        ).one_or_none()
+        assert piratebill is None, "piratebill 3 should not exist"
+
     @pytest.mark.skip(reason="Currency conversion is broken")
     def test_currency_switch(self):
         # A project should be editable
diff --git a/ihatemoney/web.py b/ihatemoney/web.py
index 353b6de0b..a1ecd94cd 100644
--- a/ihatemoney/web.py
+++ b/ihatemoney/web.py
@@ -868,6 +868,7 @@ def add_settlement_bill():
         )
         return redirect(url_for(".settle_bill"))
 
+    # TODO: check that sender and receiver ID are valid and part of this project
 
     settlement = Bill(
         amount=form.amount.data,