Salastil/odysseus
1
0
Fork 0
mirror of https://github.com/pewdiepie-archdaemon/odysseus.git synced 2026-06-30 00:22:10 -04:00
Code Issues Packages Projects Releases Wiki Activity

fix(gallery): fail closed for null-user owner scope (#3613)

Browse Source
This commit is contained in:
RaresKeY
2026-06-09 21:20:21 +03:00
committed by GitHub
parent cdfda4bd16
commit 5d33393a28
6 changed files with 201 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/test_gallery_album_owner_scope.py
+6 -3
View File
@@ -40,9 +40,12 @@ def test_upload_validates_target_album_ownership():
def test_list_albums_count_and_cover_are_owner_scoped():
fns = _function_sources()
body = fns["list_albums"]
# Both the per-album image count and the cover-fallback query must owner-scope
# by GalleryImage.owner (the album list itself already filters by owner).
assert body.count("GalleryImage.owner == user") >= 2
# The album list, per-album image count, explicit cover, and cover-fallback
# queries should all share the same gallery owner policy.
assert "q = _owner_filter(q, user, GalleryAlbum)" in body
assert "_count_q = _owner_filter(_count_q, user)" in body
assert "cover = _owner_filter(cover_q, user).first()" in body
assert "_cover_q = _owner_filter(_cover_q, user)" in body
def test_delete_album_cleanup_is_owner_scoped():