darkhelm/notifications-api
1
0
Fork 0
mirror of https://github.com/GSA/notifications-api.git synced 2026-01-30 06:21:50 -05:00
Code Issues Packages Projects Releases Wiki Activity

Always use both folder and service ID when getting template folder

Browse Source 
Currently there aren't any permission checks based on folder IDs in
the admin app or the API, so it's possible for a user to modify the
folder ID to perform operations on folders outside their service.

Our usual way to avoid this is to always use service_id filter when
fetching objects from the database.
This commit is contained in:
Alexey Bezhan
2018-11-07 13:48:18 +00:00
parent 1dbb24065d
commit 36f41c23e1
3 changed files with 10 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
tests/app/template_folder/test_template_folder_rest.py
View File

@@ -97,7 +97,7 @@ def test_create_template_folder_fails_if_parent_id_from_different_service(admin_
)
assert resp['result'] == 'error'
assert resp['message'] == 'parent_id belongs to a different service'
assert resp['message'] == 'parent_id not found'
def test_rename_template_folder(admin_request, sample_service):