From eb54c71d333335f90fdaab28630578df9ce7fabf Mon Sep 17 00:00:00 2001 From: "federico.spatola" Date: Sun, 11 May 2025 12:33:33 +0200 Subject: [PATCH 1/2] added consistency check between path and body username in PUT /{username} route --- app/v1/routers/users/users_router.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/app/v1/routers/users/users_router.py b/app/v1/routers/users/users_router.py index 5329050..28a408d 100644 --- a/app/v1/routers/users/users_router.py +++ b/app/v1/routers/users/users_router.py @@ -31,6 +31,8 @@ async def list_users(user_manager: UserManager = Depends(get_user_manager)) -> l @router.put("/{username}") async def update_user(username: str, user: User, user_manager: UserManager = Depends(get_user_manager)) -> User: + if username != user.username: + raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Username mismatch") try: return user_manager.update_user(username, user) except ValueError as ex: From d16681e51c63878a4256a05193f129247117f2e6 Mon Sep 17 00:00:00 2001 From: "federico.spatola" Date: Sun, 11 May 2025 12:34:13 +0200 Subject: [PATCH 2/2] move some 4xx tests in test_users_4xx.py and add some new tests --- tests/v1/routers/test_users.py | 25 ------------------- tests/v1/routers/test_users_4xx.py | 39 ++++++++++++++++++++++++++++++ 2 files changed, 39 insertions(+), 25 deletions(-) create mode 100644 tests/v1/routers/test_users_4xx.py diff --git a/tests/v1/routers/test_users.py b/tests/v1/routers/test_users.py index 5194011..891a423 100644 --- a/tests/v1/routers/test_users.py +++ b/tests/v1/routers/test_users.py @@ -59,28 +59,3 @@ def test_delete_user(client: TestClient) -> None: # Verify the user is deleted response = client.get("/v1/users/deleteuser") assert response.status_code == 404 - - -def test_create_duplicate_user(client: TestClient) -> None: - user_data = {"username": "duplicate", "email": "duplicate@example.com"} - client.post("/v1/users/", json=user_data) - - # Try to create a user with the same username - response = client.post("/v1/users/", json=user_data) - assert response.status_code == 409 - - -def test_get_nonexistent_user(client: TestClient) -> None: - response = client.get("/v1/users/nonexistent") - assert response.status_code == 404 - - -def test_update_nonexistent_user(client: TestClient) -> None: - user_data = {"username": "nonexistent", "email": "nonexistent@example.com"} - response = client.put("/v1/users/nonexistent", json=user_data) - assert response.status_code == 404 - - -def test_delete_nonexistent_user(client: TestClient) -> None: - response = client.delete("/v1/users/nonexistent") - assert response.status_code == 404 diff --git a/tests/v1/routers/test_users_4xx.py b/tests/v1/routers/test_users_4xx.py new file mode 100644 index 0000000..5523ae2 --- /dev/null +++ b/tests/v1/routers/test_users_4xx.py @@ -0,0 +1,39 @@ +from fastapi.testclient import TestClient + + +def test_create_duplicate_user(client: TestClient) -> None: + user_data = {"username": "duplicate", "email": "duplicate@example.com"} + client.post("/v1/users/", json=user_data) + + # Try to create a user with the same username + response = client.post("/v1/users/", json=user_data) + assert response.status_code == 409 + + +def test_get_nonexistent_user(client: TestClient) -> None: + response = client.get("/v1/users/nonexistent") + assert response.status_code == 404 + + +def test_update_nonexistent_user(client: TestClient) -> None: + user_data = {"username": "nonexistent", "email": "nonexistent@example.com"} + response = client.put("/v1/users/nonexistent", json=user_data) + assert response.status_code == 404 + + +def test_delete_nonexistent_user(client: TestClient) -> None: + response = client.delete("/v1/users/nonexistent") + assert response.status_code == 404 + + +def test_create_user_invalid_data(client: TestClient) -> None: + response = client.post("/v1/users/", json={"username": "", "email": "not-an-email"}) + assert response.status_code == 422 + + +def test_update_user_username_mismatch(client: TestClient) -> None: + user_data = {"username": "u1", "email": "u1@example.com"} + client.post("/v1/users/", json=user_data) + updated_data = {"username": "u2", "email": "new@example.com"} + response = client.put("/v1/users/u1", json=updated_data) + assert response.status_code == 400