Salastil/odysseus
1
0
Fork 0
mirror of https://github.com/pewdiepie-archdaemon/odysseus.git synced 2026-06-15 17:25:26 -04:00
Code Issues Packages Projects Releases Wiki Activity

Harden gallery album assignment scope (#3004)

Browse Source
This commit is contained in:
Vykos
2026-06-07 12:49:03 +02:00
committed by GitHub
parent 06d28e23ac
commit a6490ffb1b
2 changed files with 22 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
routes/gallery_routes.py
+7 -3
View File
@@ -76,6 +76,9 @@ def setup_gallery_routes() -> APIRouter:
file_hash = hashlib.sha256(content).hexdigest()
db = SessionLocal()
try:
if album_id and user is not None:
_get_or_404_album(db, album_id, user)
# SECURITY: scope the dup-detect to THIS user — otherwise a
# caller can probe whether someone else uploaded the same
# file (the response leaks the existing row's id+filename).
@@ -1669,9 +1672,10 @@ def setup_gallery_routes() -> APIRouter:
db = SessionLocal()
try:
album = _get_or_404_album(db, album_id, user)
db.query(GalleryImage).filter(GalleryImage.album_id == album_id).update(
{"album_id": None}, synchronize_session=False
)
q = db.query(GalleryImage).filter(GalleryImage.album_id == album_id)
if user is not None:
q = q.filter(GalleryImage.owner == user)
q.update({"album_id": None}, synchronize_session=False)
db.delete(album)
db.commit()
return {"ok": True}
tests/test_gallery_album_owner_scope.py
+15
View File
@@ -30,6 +30,13 @@ def test_patch_validates_target_album_ownership():
assert "_get_or_404_album(db, req.album_id, user)" in body
def test_upload_validates_target_album_ownership():
fns = _function_sources()
body = fns["gallery_upload"]
assert "album_id" in body
assert "_get_or_404_album(db, album_id, user)" in body
def test_list_albums_count_and_cover_are_owner_scoped():
fns = _function_sources()
body = fns["list_albums"]
@@ -38,6 +45,14 @@ def test_list_albums_count_and_cover_are_owner_scoped():
assert body.count("GalleryImage.owner == user") >= 2
def test_delete_album_cleanup_is_owner_scoped():
fns = _function_sources()
body = fns["delete_album"]
assert "GalleryImage.album_id == album_id" in body
assert "GalleryImage.owner == user" in body
assert 'q.update({"album_id": None}' in body
def test_get_or_404_album_enforces_owner():
# Guard the precedent we rely on: the helper rejects another user's album.
fns = _function_sources()