Salastil/odysseus
1
0
Fork 0
mirror of https://github.com/pewdiepie-archdaemon/odysseus.git synced 2026-06-24 05:35:31 -04:00
Code Issues Packages Projects Releases Wiki Activity

Harden gallery album assignment scope (#3004)

Browse Source
This commit is contained in:
Vykos
2026-06-07 12:49:03 +02:00
committed by GitHub
parent 06d28e23ac
commit a6490ffb1b
2 changed files with 22 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/test_gallery_album_owner_scope.py
+15
View File
@@ -30,6 +30,13 @@ def test_patch_validates_target_album_ownership():
assert "_get_or_404_album(db, req.album_id, user)" in body
def test_upload_validates_target_album_ownership():
fns = _function_sources()
body = fns["gallery_upload"]
assert "album_id" in body
assert "_get_or_404_album(db, album_id, user)" in body
def test_list_albums_count_and_cover_are_owner_scoped():
fns = _function_sources()
body = fns["list_albums"]
@@ -38,6 +45,14 @@ def test_list_albums_count_and_cover_are_owner_scoped():
assert body.count("GalleryImage.owner == user") >= 2
def test_delete_album_cleanup_is_owner_scoped():
fns = _function_sources()
body = fns["delete_album"]
assert "GalleryImage.album_id == album_id" in body
assert "GalleryImage.owner == user" in body
assert 'q.update({"album_id": None}' in body
def test_get_or_404_album_enforces_owner():
# Guard the precedent we rely on: the helper rejects another user's album.
fns = _function_sources()