cartaid/shopping-assistant-api
1
0
Fork 0
mirror of https://github.com/Shchoholiev/shopping-assistant-api.git synced 2025-04-26 00:07:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix unauthorized access to wishlistsPage

Browse Source
This commit is contained in:
cuqmbr 2023-10-15 10:55:39 +03:00
parent 4f67175ff7
commit 9c9081a44f
Signed by: cuqmbr
GPG Key ID: 2D72ED98B6CB200F
4 changed files with 86 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ShoppingAssistantApi.Infrastructure/Services/WishlistsService.cs
View File

@ -79,7 +79,7 @@ public class WishlistsService : IWishlistsService
public async Task<PagedList<WishlistDto>> GetPersonalWishlistsPageAsync(int pageNumber, int pageSize, CancellationToken cancellationToken) public async Task<PagedList<WishlistDto>> GetPersonalWishlistsPageAsync(int pageNumber, int pageSize, CancellationToken cancellationToken)
{ {
var entities = await _wishlistsRepository.GetPageAsync(pageNumber, pageSize, cancellationToken); var entities = await _wishlistsRepository.GetPageAsync(pageNumber, pageSize, x => x.CreatedById == GlobalUser.Id, cancellationToken);
var dtos = _mapper.Map<List<WishlistDto>>(entities); var dtos = _mapper.Map<List<WishlistDto>>(entities);
var count = await _wishlistsRepository.GetTotalCountAsync(); var count = await _wishlistsRepository.GetTotalCountAsync();
return new PagedList<WishlistDto>(dtos, pageNumber, pageSize, count); return new PagedList<WishlistDto>(dtos, pageNumber, pageSize, count);

2
ShoppingAssistantApi.Persistance/Repositories/BaseRepository.cs
View File

@ -69,4 +69,4 @@ public abstract class BaseRepository<TEntity> where TEntity : EntityBase
return await this._collection.FindOneAndUpdateAsync( return await this._collection.FindOneAndUpdateAsync(
Builders<TEntity>.Filter.Eq(e => e.Id, entity.Id), updateDefinition, options, cancellationToken); Builders<TEntity>.Filter.Eq(e => e.Id, entity.Id), updateDefinition, options, cancellationToken);
} }
} }

5
ShoppingAssistantApi.Persistance/Repositories/MessagesRepository.cs
View File

@ -14,8 +14,11 @@ public class MessagesRepository : BaseRepository<Message>, IMessagesRepository
{ {
var messageCount = await GetCountAsync(predicate, cancellationToken); var messageCount = await GetCountAsync(predicate, cancellationToken);
pageSize = Math.Clamp(pageSize, 1, messageCount);
var numberOfPages = messageCount / pageSize;
return await _collection.Find(predicate) return await _collection.Find(predicate)
.Skip((messageCount / pageSize - pageNumber) * pageSize) .Skip((numberOfPages - pageNumber) * pageSize)
.Limit(pageSize) .Limit(pageSize)
.ToListAsync(cancellationToken); .ToListAsync(cancellationToken);
} }

86
ShoppingAssistantApi.Tests/Tests/WishlistsTests.cs
View File

@ -86,7 +86,7 @@ public class WishlistsTests : IClassFixture<TestingFactory<Program>>
variables = new variables = new
{ {
pageNumber = 1, pageNumber = 1,
pageSize = 1 pageSize = 5
} }
}; };
@ -212,8 +212,6 @@ public class WishlistsTests : IClassFixture<TestingFactory<Program>>
var responseString = await response.Content.ReadAsStringAsync(); var responseString = await response.Content.ReadAsStringAsync();
var document = JsonConvert.DeserializeObject<dynamic>(responseString); var document = JsonConvert.DeserializeObject<dynamic>(responseString);
Console.WriteLine(document.data.messagesPageFromPersonalWishlist);
var messagesPageFromPersonalWishlist = Enumerable.ToList(document.data.messagesPageFromPersonalWishlist.items); var messagesPageFromPersonalWishlist = Enumerable.ToList(document.data.messagesPageFromPersonalWishlist.items);
var firstMessageInPage = messagesPageFromPersonalWishlist[0]; var firstMessageInPage = messagesPageFromPersonalWishlist[0];
var secondMessageInPage = messagesPageFromPersonalWishlist[1]; var secondMessageInPage = messagesPageFromPersonalWishlist[1];
@ -286,6 +284,71 @@ public class WishlistsTests : IClassFixture<TestingFactory<Program>>
Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode); Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode);
} }
[Fact]
public async Task GetPersonalWishlistsPage_InValidPageNumber_ReturnsEmptyList()
{
var tokensModel = await AccessExtention.Login(WISHLIST_TESTING_USER_EMAIL, WISHLIST_TESTING_USER_PASSWORD, _httpClient);
_httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", tokensModel.AccessToken);
var user = await UserExtention.GetCurrentUser(_httpClient);
var query = new
{
query = "query personalWishlistsPage($pageNumber: Int!, $pageSize: Int!) { personalWishlistsPage(pageNumber: $pageNumber, pageSize: $pageSize) { items { createdById, id, name, type } } }",
variables = new
{
pageNumber = 100,
pageSize = 1
}
};
var jsonPayload = JsonConvert.SerializeObject(query);
var content = new StringContent(jsonPayload, Encoding.UTF8, "application/json");
using var response = await _httpClient.PostAsync("graphql", content);
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
var responseString = await response.Content.ReadAsStringAsync();
var document = JsonConvert.DeserializeObject<dynamic>(responseString);
var personalWishlistsPageItems = Enumerable.ToList(document.data.personalWishlistsPage.items);
Assert.Empty(personalWishlistsPageItems);
}
[Fact]
public async Task GetPersonalWishlistsPage_InValidPageSize_ReturnsPage()
{
var tokensModel = await AccessExtention.Login(WISHLIST_TESTING_USER_EMAIL, WISHLIST_TESTING_USER_PASSWORD, _httpClient);
_httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", tokensModel.AccessToken);
var user = await UserExtention.GetCurrentUser(_httpClient);
var query = new
{
query = "query personalWishlistsPage($pageNumber: Int!, $pageSize: Int!) { personalWishlistsPage(pageNumber: $pageNumber, pageSize: $pageSize) { items { createdById, id, name, type } } }",
variables = new
{
pageNumber = 1,
pageSize = 100
}
};
var jsonPayload = JsonConvert.SerializeObject(query);
var content = new StringContent(jsonPayload, Encoding.UTF8, "application/json");
using var response = await _httpClient.PostAsync("graphql", content);
response.EnsureSuccessStatusCode();
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
var responseString = await response.Content.ReadAsStringAsync();
var document = JsonConvert.DeserializeObject<dynamic>(responseString);
var personalWishlistsPageItems = Enumerable.ToList(document.data.personalWishlistsPage.items);
var personalWishlistCreatedById = (string) personalWishlistsPageItems[0].createdById;
Assert.NotEmpty(personalWishlistsPageItems);
Assert.Equal(user.Id, personalWishlistCreatedById);
}
[Fact] [Fact]
public async Task GetPersonalWishlist_InvalidWishlistId_ReturnsInternalServerError() public async Task GetPersonalWishlist_InvalidWishlistId_ReturnsInternalServerError()
{ {
@ -362,7 +425,7 @@ public class WishlistsTests : IClassFixture<TestingFactory<Program>>
} }
[Fact] [Fact]
public async Task GetMessagesPageFromPersonalWishlist_InValidPageNumber_ReturnsInternalServerError() public async Task GetMessagesPageFromPersonalWishlist_InValidPageNumber_ReturnsEmptyList()
{ {
var tokensModel = await AccessExtention.Login(WISHLIST_TESTING_USER_EMAIL, WISHLIST_TESTING_USER_PASSWORD, _httpClient); var tokensModel = await AccessExtention.Login(WISHLIST_TESTING_USER_EMAIL, WISHLIST_TESTING_USER_PASSWORD, _httpClient);
_httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", tokensModel.AccessToken); _httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", tokensModel.AccessToken);
@ -387,7 +450,7 @@ public class WishlistsTests : IClassFixture<TestingFactory<Program>>
} }
[Fact] [Fact]
public async Task GetMessagesPageFromPersonalWishlist_InValidPageSize_ReturnsInternalServerError() public async Task GetMessagesPageFromPersonalWishlist_InValidPageSize_ReturnsPage()
{ {
var tokensModel = await AccessExtention.Login(WISHLIST_TESTING_USER_EMAIL, WISHLIST_TESTING_USER_PASSWORD, _httpClient); var tokensModel = await AccessExtention.Login(WISHLIST_TESTING_USER_EMAIL, WISHLIST_TESTING_USER_PASSWORD, _httpClient);
_httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", tokensModel.AccessToken); _httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", tokensModel.AccessToken);
@ -408,7 +471,18 @@ public class WishlistsTests : IClassFixture<TestingFactory<Program>>
var content = new StringContent(jsonPayload, Encoding.UTF8, "application/json"); var content = new StringContent(jsonPayload, Encoding.UTF8, "application/json");
using var response = await _httpClient.PostAsync("graphql", content); using var response = await _httpClient.PostAsync("graphql", content);
Assert.Equal(HttpStatusCode.InternalServerError, response.StatusCode); Assert.Equal(HttpStatusCode.OK, response.StatusCode);
var responseString = await response.Content.ReadAsStringAsync();
var document = JsonConvert.DeserializeObject<dynamic>(responseString);
var messagesPageFromPersonalWishlist = Enumerable.ToList(document.data.messagesPageFromPersonalWishlist.items);
var firstMessageInPage = messagesPageFromPersonalWishlist[0];
var secondMessageInPage = messagesPageFromPersonalWishlist[1];
Assert.Equal("Message 1", (string) firstMessageInPage.text);
Assert.Equal(MessageRoles.User.ToString(), (string) firstMessageInPage.role);
Assert.Equal(user.Id, (string) firstMessageInPage.createdById);
} }
[Fact] [Fact]