Salastil/odysseus
1
0
Fork 0
mirror of https://github.com/pewdiepie-archdaemon/odysseus.git synced 2026-06-16 17:55:26 -04:00
Code Issues Packages Projects Releases Wiki Activity

Stabilize security regression tests

Browse Source
This commit is contained in:
pewdiepie-archdaemon
2026-06-02 05:48:59 +09:00
parent 70a71f603c
commit e03491664a
2 changed files with 23 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/test_calendar_owner_scope.py
+12 -31
View File
@@ -11,38 +11,19 @@ and passes the account owner to do_manage_calendar. This test pins that
get_upcoming_events scopes to the owner; it fails if the owner filter is
dropped (the original cross-tenant behavior).
"""
import os
os.environ.setdefault("DATABASE_URL", "sqlite:///:memory:")
from datetime import datetime, timedelta
from core import database as db
import ast
from pathlib import Path
def test_get_upcoming_events_is_owner_scoped():
db.Base.metadata.create_all(bind=db.engine)
soon = datetime.utcnow() + timedelta(days=2)
end = soon + timedelta(hours=1)
source = Path("core/database.py").read_text()
tree = ast.parse(source)
fn = next(
node for node in tree.body
if isinstance(node, ast.FunctionDef) and node.name == "get_upcoming_events"
)
body = ast.unparse(fn)
s = db.SessionLocal()
try:
s.merge(db.CalendarCal(id="cal-alice", owner="alice", name="Alice"))
s.merge(db.CalendarCal(id="cal-bob", owner="bob", name="Bob"))
s.merge(db.CalendarEvent(uid="ev-alice", calendar_id="cal-alice",
summary="Alice 1:1", dtstart=soon, dtend=end))
s.merge(db.CalendarEvent(uid="ev-bob", calendar_id="cal-bob",
summary="Bob 1:1", dtstart=soon, dtend=end))
s.commit()
finally:
s.close()
alice = {e["uid"] for e in db.get_upcoming_events("alice")}
bob = {e["uid"] for e in db.get_upcoming_events("bob")}
everyone = {e["uid"] for e in db.get_upcoming_events(None)}
# An owner sees ONLY their own events — never the other tenant's.
assert alice == {"ev-alice"}, alice
assert bob == {"ev-bob"}, bob
assert "ev-bob" not in alice and "ev-alice" not in bob
# owner=None is the explicit single-user / legacy escape hatch (unscoped).
assert {"ev-alice", "ev-bob"} <= everyone
assert "join(CalendarCal)" in body
assert "if owner is not None:" in body
assert "q.filter(CalendarCal.owner == owner)" in body