almet/ihatemoney
1
0
Fork 0
mirror of https://github.com/spiral-project/ihatemoney.git synced 2025-04-28 17:32:38 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add security-related test to the new settle endpoint

Browse source
This commit is contained in:
Baptiste Jonglez 2024-03-31 19:50:29 +02:00 committed by Alexis Métaireau
parent f9552076c3
commit 87112ec9d1
No known key found for this signature in database
GPG key ID: 1C21B876828E5FF2
2 changed files with 19 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
ihatemoney/tests/budget_test.py
View file

@ -1630,6 +1630,24 @@ class TestBudget(IhatemoneyTestCase):
member = models.Person.query.filter(models.Person.id == 1).one_or_none() member = models.Person.query.filter(models.Person.id == 1).one_or_none()
assert member is None assert member is None
# test new settle endpoint to add bills with wrong payer / payed_for
self.client.post("/exit")
self.client.post(
"/authenticate", data={"id": "tartiflette", "password": "tartiflette"}
)
self.client.post(
"/tartiflette/settle",
data={
"sender_id": 4,
"receiver_id": 5,
"amount": "42.0",
},
)
piratebill = models.Bill.query.filter(
models.Bill.bill_type == models.BillType.REIMBURSEMENT
).one_or_none()
assert piratebill is None, "piratebill 3 should not exist"
@pytest.mark.skip(reason="Currency conversion is broken") @pytest.mark.skip(reason="Currency conversion is broken")
def test_currency_switch(self): def test_currency_switch(self):
# A project should be editable # A project should be editable

1
ihatemoney/web.py
View file

@ -874,6 +874,7 @@ def add_settlement_bill():
) )
return redirect(url_for(".settle_bill")) return redirect(url_for(".settle_bill"))
# TODO: check that sender and receiver ID are valid and part of this project
settlement = Bill( settlement = Bill(
amount=form.amount.data, amount=form.amount.data,