From 0cabb655ad1f16cd7af8b298bedb83c076942fa9 Mon Sep 17 00:00:00 2001 From: Manuel Raynaud Date: Thu, 6 Mar 2025 15:21:49 +0100 Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=EF=B8=8F(back)=20restrict=20access?= =?UTF-8?q?=20to=20favorite=5Flist=20endpoint?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit favorite_list endpoint is accessible to anonymous user. This lead to an error 500. This endpoint should be accessible only to authenticated users. --- CHANGELOG.md | 1 + src/backend/core/api/viewsets.py | 1 + .../test_api_documents_favorite_list.py | 78 +++++++++++++++++++ 3 files changed, 80 insertions(+) create mode 100644 src/backend/core/tests/documents/test_api_documents_favorite_list.py diff --git a/CHANGELOG.md b/CHANGELOG.md index 86bd82cd..edde5b88 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,6 +21,7 @@ and this project adheres to ## Fixed - 🐛(frontend) fix collaboration error #684 +- 🔒️(back) restrict access to favorite_list endpoint #690 ## [2.3.0] - 2025-03-03 diff --git a/src/backend/core/api/viewsets.py b/src/backend/core/api/viewsets.py index de9b8401..61580304 100644 --- a/src/backend/core/api/viewsets.py +++ b/src/backend/core/api/viewsets.py @@ -591,6 +591,7 @@ class DocumentViewSet( @drf.decorators.action( detail=False, methods=["get"], + permission_classes=[permissions.IsAuthenticated], ) def favorite_list(self, request, *args, **kwargs): """Get list of favorite documents for the current user.""" diff --git a/src/backend/core/tests/documents/test_api_documents_favorite_list.py b/src/backend/core/tests/documents/test_api_documents_favorite_list.py new file mode 100644 index 00000000..46baa8e4 --- /dev/null +++ b/src/backend/core/tests/documents/test_api_documents_favorite_list.py @@ -0,0 +1,78 @@ +"""Test for the document favorite_list endpoint.""" + +import pytest +from rest_framework.test import APIClient + +from core import factories, models + +pytestmark = pytest.mark.django_db + + +def test_api_document_favorite_list_anonymous(): + """Anonymous users should receive a 401 error.""" + client = APIClient() + + response = client.get(f"/api/v1.0/documents/favorite_list/") + + assert response.status_code == 401 + + +def test_api_document_favorite_list_authenticated_no_favorite(): + """Authenticated users should receive an empty list.""" + user = factories.UserFactory() + client = APIClient() + client.force_login(user) + + response = client.get(f"/api/v1.0/documents/favorite_list/") + + assert response.status_code == 200 + assert response.json() == { + "count": 0, + "next": None, + "previous": None, + "results": [], + } + + +def test_api_document_favorite_list_authenticated_with_favorite(): + """Authenticated users with a favorite should receive the favorite.""" + + user = factories.UserFactory() + client = APIClient() + client.force_login(user) + + # User don't have access to this document, let say it had access and this access has been + # removed. It should not be in the favorite list anymore. + factories.DocumentFactory(favorited_by=[user]) + + document = factories.UserDocumentAccessFactory( + user=user, role=models.RoleChoices.READER, document__favorited_by=[user] + ).document + + response = client.get("/api/v1.0/documents/favorite_list/") + + assert response.status_code == 200 + assert response.json() == { + "count": 1, + "next": None, + "previous": None, + "results": [ + { + "abilities": document.get_abilities(user), + "created_at": document.created_at.isoformat().replace("+00:00", "Z"), + "creator": str(document.creator.id), + "content": document.content, + "depth": document.depth, + "excerpt": document.excerpt, + "id": str(document.id), + "link_reach": document.link_reach, + "link_role": document.link_role, + "nb_accesses": document.nb_accesses, + "numchild": document.numchild, + "path": document.path, + "title": document.title, + "updated_at": document.updated_at.isoformat().replace("+00:00", "Z"), + "user_roles": ["reader"], + } + ], + }