test for unauthorized profile image upload

Open-MSS · Jul 16, 2024 · 3c5854e · 3c5854e
1 parent d473c8b
commit 3c5854e
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 2 deletions.
diff --git a/mslib/mscolab/server.py b/mslib/mscolab/server.py
@@ -356,7 +356,7 @@ def get_user():
 @APP.route('/upload_profile_image', methods=["POST"])
 @verify_user
 def upload_profile_image():
-    user_id = request.form['user_id']
+    user_id = g.user.id
     file = request.files['image']
     if not file:
         return jsonify({'message': 'No file provided or invalid file type'}), 400
@@ -375,7 +375,7 @@ def upload_profile_image():
 @APP.route('/fetch_profile_image', methods=["GET"])
 @verify_user
 def fetch_profile_image():
-    user_id = request.form['user_id']
+    user_id = g.user.id
     user = User.query.get(user_id)
     if user and user.profile_image_path:
         base_path = mscolab_settings.UPLOAD_FOLDER

diff --git a/tests/_test_mscolab/test_server.py b/tests/_test_mscolab/test_server.py
@@ -154,6 +154,24 @@ def test_delete_user(self):
     # ToDo: Add a test for an oversized image/file ( > MAX_UPLOAD_SIZE) for chat attachments and profile image.
     # Currently, flask is unable to raise exception for an oversized file.
 
+    def test_unauthorized_profile_image_upload(self):
+        other_user_data = 'other@ex.com', 'other', 'other'
+        assert add_user(self.userdata[0], self.userdata[1], self.userdata[2])
+        assert add_user(other_user_data[0], other_user_data[1], other_user_data[2])
+        with self.app.test_client() as test_client:
+            # Case 1: Unauthenticated upload attempt
+            user = get_user(self.userdata[0])
+            assert user.profile_image_path is None
+            self._upload_profile_image(test_client, token="random-string", email=self.userdata[0])
+            user = get_user(self.userdata[0])
+            assert user.profile_image_path is None   # profile-image-path should remain None after failed upload
+
+            # Case 2: Authenticated as another user trying to upload for main user
+            token_of_other_user = self._get_token(test_client, other_user_data)
+            self._upload_profile_image(test_client, token_of_other_user, self.userdata[0])
+            user = get_user(self.userdata[0])
+            assert user.profile_image_path is None  # User should not be able to upload an image for another user
+
     def test_messages(self):
         assert add_user(self.userdata[0], self.userdata[1], self.userdata[2])
         with self.app.test_client() as test_client: