From 01d515c07f2dd042fb64735e050889a9b45d239b Mon Sep 17 00:00:00 2001 From: Baptiste Jonglez <git@bitsofnetworks.org> Date: Sun, 31 Mar 2024 19:50:29 +0200 Subject: [PATCH] Add security-related test to the new settle endpoint --- ihatemoney/tests/budget_test.py | 18 ++++++++++++++++++ ihatemoney/web.py | 1 + 2 files changed, 19 insertions(+) diff --git a/ihatemoney/tests/budget_test.py b/ihatemoney/tests/budget_test.py index 578ffa5bd..03f089915 100644 --- a/ihatemoney/tests/budget_test.py +++ b/ihatemoney/tests/budget_test.py @@ -1630,6 +1630,24 @@ def test_access_other_projects(self): member = models.Person.query.filter(models.Person.id == 1).one_or_none() assert member is None + # test new settle endpoint to add bills with wrong payer / payed_for + self.client.post("/exit") + self.client.post( + "/authenticate", data={"id": "tartiflette", "password": "tartiflette"} + ) + self.client.post( + "/tartiflette/settle", + data={ + "sender_id": 4, + "receiver_id": 5, + "amount": "42.0", + }, + ) + piratebill = models.Bill.query.filter( + models.Bill.bill_type == models.BillType.REIMBURSEMENT + ).one_or_none() + assert piratebill is None, "piratebill 3 should not exist" + @pytest.mark.skip(reason="Currency conversion is broken") def test_currency_switch(self): # A project should be editable diff --git a/ihatemoney/web.py b/ihatemoney/web.py index 353b6de0b..a1ecd94cd 100644 --- a/ihatemoney/web.py +++ b/ihatemoney/web.py @@ -868,6 +868,7 @@ def add_settlement_bill(): ) return redirect(url_for(".settle_bill")) + # TODO: check that sender and receiver ID are valid and part of this project settlement = Bill( amount=form.amount.data,