Add security-related test to the new settle endpoint

2025-04-28 09:22:38 +02:00 · 2024-03-31 19:50:29 +02:00 · 2024-03-31 19:50:29 +02:00 · 87112ec9d1
commit 87112ec9d1
parent f9552076c3
2 changed files with 19 additions and 0 deletions
--- a/ihatemoney/tests/budget_test.py
+++ b/ihatemoney/tests/budget_test.py
@ -1630,6 +1630,24 @@ class TestBudget(IhatemoneyTestCase):
        member = models.Person.query.filter(models.Person.id == 1).one_or_none()
        assert member is None

+        # test new settle endpoint to add bills with wrong payer / payed_for
+        self.client.post("/exit")
+        self.client.post(
+            "/authenticate", data={"id": "tartiflette", "password": "tartiflette"}
+        )
+        self.client.post(
+            "/tartiflette/settle",
+            data={
+                "sender_id": 4,
+                "receiver_id": 5,
+                "amount": "42.0",
+            },
+        )
+        piratebill = models.Bill.query.filter(
+            models.Bill.bill_type == models.BillType.REIMBURSEMENT
+        ).one_or_none()
+        assert piratebill is None, "piratebill 3 should not exist"
+
    @pytest.mark.skip(reason="Currency conversion is broken")
    def test_currency_switch(self):
        # A project should be editable
--- a/ihatemoney/web.py
+++ b/ihatemoney/web.py
@ -874,6 +874,7 @@ def add_settlement_bill():
        )
        return redirect(url_for(".settle_bill"))

+    # TODO: check that sender and receiver ID are valid and part of this project

    settlement = Bill(
        amount=form.amount.data,