Add security-related test to the new settle endpoint

spiral-project · Mar 31, 2024 · 01d515c · 01d515c
1 parent 9a84858
commit 01d515c
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 0 deletions.
diff --git a/ihatemoney/tests/budget_test.py b/ihatemoney/tests/budget_test.py
@@ -1630,6 +1630,24 @@ def test_access_other_projects(self):
         member = models.Person.query.filter(models.Person.id == 1).one_or_none()
         assert member is None
 
+        # test new settle endpoint to add bills with wrong payer / payed_for
+        self.client.post("/exit")
+        self.client.post(
+            "/authenticate", data={"id": "tartiflette", "password": "tartiflette"}
+        )
+        self.client.post(
+            "/tartiflette/settle",
+            data={
+                "sender_id": 4,
+                "receiver_id": 5,
+                "amount": "42.0",
+            },
+        )
+        piratebill = models.Bill.query.filter(
+            models.Bill.bill_type == models.BillType.REIMBURSEMENT
+        ).one_or_none()
+        assert piratebill is None, "piratebill 3 should not exist"
+
     @pytest.mark.skip(reason="Currency conversion is broken")
     def test_currency_switch(self):
         # A project should be editable

diff --git a/ihatemoney/web.py b/ihatemoney/web.py
@@ -868,6 +868,7 @@ def add_settlement_bill():
         )
         return redirect(url_for(".settle_bill"))
 
+    # TODO: check that sender and receiver ID are valid and part of this project
 
     settlement = Bill(
         amount=form.amount.data,