github-starred/vikunja
2
0
Fork 0
mirror of https://github.com/go-vikunja/vikunja.git synced 2026-03-09 07:13:35 -05:00
Code Issues 219 Packages Projects Releases 2 Wiki Activity

test: add tests for external team user discoverability bypass

Browse Source
This commit is contained in:
kolaente
2026-03-04 19:54:35 +01:00
parent 64e455a613
commit 3a730165bc
2 changed files with 49 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
pkg/webtests/integrations.go
View File

@@ -53,6 +53,13 @@ var (
Email: "user1@example.com",
Issuer: "local",
}
testuser10 = user.User{
ID: 10,
Username: "user10",
Password: "$2a$14$dcadBoMBL9jQoOcZK8Fju.cy0Ptx2oZECkKLnaa8ekRoTFe1w7To.",
Email: "user10@example.com",
Issuer: "local",
}
testuser15 = user.User{
ID: 15,
Username: "user15",

42
pkg/webtests/user_project_test.go
View File

@@ -41,4 +41,46 @@ func TestUserProject(t *testing.T) {
assert.NotContains(t, rec.Body.String(), `user4`)
assert.NotContains(t, rec.Body.String(), `user5`)
})
t.Run("external team member discoverable by name", func(t *testing.T) {
// User 10 searches for "Some one else" (user 11's name).
// User 11 has discoverable_by_name=false, but they share external team 14.
// Should find user 11.
rec, err := newTestRequestWithUser(t, http.MethodPost, apiv1.UserList, &testuser10, "", map[string][]string{"s": {"Some one else"}}, nil)
require.NoError(t, err)
assert.Contains(t, rec.Body.String(), `user11`)
})
t.Run("external team member discoverable by email", func(t *testing.T) {
// User 10 searches for user 11's email.
// User 11 has discoverable_by_email=false, but they share external team 14.
// Should find user 11.
rec, err := newTestRequestWithUser(t, http.MethodPost, apiv1.UserList, &testuser10, "", map[string][]string{"s": {"user11@example.com"}}, nil)
require.NoError(t, err)
assert.Contains(t, rec.Body.String(), `user11`)
})
t.Run("non-external-team user cannot discover by name", func(t *testing.T) {
// User 1 searches for "Some one else" (user 11's name).
// User 1 does NOT share an external team with user 11.
// User 11 has discoverable_by_name=false.
// Should NOT find user 11.
rec, err := newTestRequestWithUser(t, http.MethodPost, apiv1.UserList, &testuser1, "", map[string][]string{"s": {"Some one else"}}, nil)
require.NoError(t, err)
assert.NotContains(t, rec.Body.String(), `user11`)
})
t.Run("non-external-team user cannot discover by email", func(t *testing.T) {
// User 1 searches for user 11's email.
// User 1 does NOT share an external team with user 11.
// User 11 has discoverable_by_email=false.
// Should NOT find user 11.
rec, err := newTestRequestWithUser(t, http.MethodPost, apiv1.UserList, &testuser1, "", map[string][]string{"s": {"user11@example.com"}}, nil)
require.NoError(t, err)
assert.NotContains(t, rec.Body.String(), `user11`)
})
t.Run("regular team does not bypass discoverability", func(t *testing.T) {
// User 1 and user 2 share team 1 (a regular team, no external_id).
// User 2 has discoverable_by_name=false and discoverable_by_email=false.
// Searching by email should NOT find user 2 (regular team doesn't bypass).
rec, err := newTestRequestWithUser(t, http.MethodPost, apiv1.UserList, &testuser1, "", map[string][]string{"s": {"user2@example.com"}}, nil)
require.NoError(t, err)
assert.NotContains(t, rec.Body.String(), `user2`)
})
}