qzl/social-app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: address CRITICAL security issues - permission escalation and encoding inconsistency

Browse Source
This commit is contained in:
qzl
2026-02-28 12:40:40 +08:00
parent 173d91086f
commit ce8cd1d31f
4 changed files with 64 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/tests/unit/v1/inbox_messages/test_service.py
+3 -2
View File
@@ -23,6 +23,7 @@ def _build_message(
status: InboxMessageModelStatus = InboxMessageModelStatus.PENDING,
message_type: InboxMessageModelType = InboxMessageModelType.CALENDAR,
schedule_item_id: UUID | None = None,
content: str = '{"permission": 7}',
) -> InboxMessage:
message = MagicMock(spec=InboxMessage)
message.id = message_id
@@ -30,7 +31,7 @@ def _build_message(
message.sender_id = uuid4()
message.message_type = message_type
message.schedule_item_id = schedule_item_id
message.content = "calendar invite"
message.content = content
message.is_read = False
message.status = status
message.created_at = datetime(2026, 2, 28, 10, 0, 0, tzinfo=timezone.utc)
@@ -107,7 +108,7 @@ async def test_accept_invitation_creates_subscription() -> None:
assert isinstance(subscription, ScheduleSubscription)
assert subscription.item_id == item_id
assert subscription.subscriber_id == user_id
assert subscription.permission == 3
assert subscription.permission == 5 # view(1) + edit(4) = 5
assert subscription.status == SubscriptionStatus.ACTIVE
repo.update_status.assert_awaited_once_with(message_id, user_id, "accepted")
session.commit.assert_awaited_once()