Improve security
This commit is contained in:
+43
-5
@@ -2,13 +2,17 @@ use actix_web::{web, HttpResponse};
|
||||
use diesel::RunQueryDsl;
|
||||
|
||||
use crate::{
|
||||
database::establish_connection, json_serialization::new_feed::NewFeedSchema,
|
||||
models::feed::new_feed::NewFeed, schema::feed,
|
||||
auth::extractor::AuthUser, database::establish_connection,
|
||||
json_serialization::new_feed::NewFeedSchema, models::feed::new_feed::NewFeed, schema::feed,
|
||||
};
|
||||
|
||||
use super::feeds;
|
||||
|
||||
pub async fn add(new_feed: web::Json<NewFeedSchema>) -> HttpResponse {
|
||||
pub async fn add(new_feed: web::Json<NewFeedSchema>, auth_user: AuthUser) -> HttpResponse {
|
||||
if auth_user.0 != new_feed.user_id {
|
||||
return HttpResponse::Forbidden().finish();
|
||||
}
|
||||
|
||||
let mut connection = establish_connection();
|
||||
let title: String = new_feed.title.clone();
|
||||
let url: String = new_feed.url.clone();
|
||||
@@ -45,15 +49,25 @@ pub async fn add(new_feed: web::Json<NewFeedSchema>) -> HttpResponse {
|
||||
|
||||
#[cfg(test)]
|
||||
mod tests {
|
||||
use actix_service::Service;
|
||||
use actix_web::http::StatusCode;
|
||||
use actix_web::{test, web, App};
|
||||
use actix_web::{test, web, App, HttpMessage};
|
||||
|
||||
use super::add;
|
||||
use crate::auth::extractor::AuthUser;
|
||||
use crate::test_helpers::unique_suffix;
|
||||
|
||||
#[actix_web::test]
|
||||
async fn add_fails_for_unfetchable_feed_url() {
|
||||
let app = test::init_service(App::new().route("/add", web::post().to(add))).await;
|
||||
let app = test::init_service(
|
||||
App::new()
|
||||
.wrap_fn(move |req, srv| {
|
||||
req.extensions_mut().insert(AuthUser(1));
|
||||
srv.call(req)
|
||||
})
|
||||
.route("/add", web::post().to(add)),
|
||||
)
|
||||
.await;
|
||||
let req = test::TestRequest::post()
|
||||
.uri("/add")
|
||||
.set_json(serde_json::json!({
|
||||
@@ -66,4 +80,28 @@ mod tests {
|
||||
|
||||
assert_eq!(StatusCode::NOT_FOUND, resp.status());
|
||||
}
|
||||
|
||||
#[actix_web::test]
|
||||
async fn add_rejects_feed_for_another_user() {
|
||||
let app = test::init_service(
|
||||
App::new()
|
||||
.wrap_fn(move |req, srv| {
|
||||
req.extensions_mut().insert(AuthUser(1));
|
||||
srv.call(req)
|
||||
})
|
||||
.route("/add", web::post().to(add)),
|
||||
)
|
||||
.await;
|
||||
let req = test::TestRequest::post()
|
||||
.uri("/add")
|
||||
.set_json(serde_json::json!({
|
||||
"title": "Someone else's feed",
|
||||
"url": format!("https://example.test/feed/{}", unique_suffix()),
|
||||
"user_id": 2
|
||||
}))
|
||||
.to_request();
|
||||
let resp = test::call_service(&app, req).await;
|
||||
|
||||
assert_eq!(StatusCode::FORBIDDEN, resp.status());
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user