Ensure that new template folder belongs to the same service as parent

Since template folders are only linked by ID to their parent we need to check that the parent folder belongs to the same service as the one being created. Otherwise, admin users could modify parent ID to create a folder outside their service. Ideally, this check would be performed by a DB constraint, but since parent_id can be nullable this is only possible to express using DB triggers. Instead, we perform the check in the API endpoint code.
2026-01-31 23:26:23 -05:00 · 2018-11-07 13:38:09 +00:00
parent d46caa184e
commit 1dbb24065d
2 changed files with 26 additions and 4 deletions
--- a/tests/app/template_folder/test_template_folder_rest.py
+++ b/tests/app/template_folder/test_template_folder_rest.py
@@ -74,9 +74,6 @@ def test_create_template_folder_fails_if_missing_fields(admin_request, sample_se


 def test_create_template_folder_fails_if_unknown_parent_id(admin_request, sample_service):
-    # create existing folder
-    create_template_folder(sample_service)
-
    resp = admin_request.post(
        'template_folder.create_template_folder',
        service_id=sample_service.id,
@@ -88,6 +85,21 @@ def test_create_template_folder_fails_if_unknown_parent_id(admin_request, sample
    assert resp['message'] == 'parent_id not found'


+def test_create_template_folder_fails_if_parent_id_from_different_service(admin_request, sample_service):
+    s1 = create_service(service_name='a')
+    parent_folder_id = create_template_folder(s1).id
+
+    resp = admin_request.post(
+        'template_folder.create_template_folder',
+        service_id=sample_service.id,
+        _data={'name': 'bar', 'parent_id': str(parent_folder_id)},
+        _expected_status=400
+    )
+
+    assert resp['result'] == 'error'
+    assert resp['message'] == 'parent_id belongs to a different service'
+
+
 def test_rename_template_folder(admin_request, sample_service):
    existing_folder = create_template_folder(sample_service)