fix: check parent for allocation

morremeyer · morremeyer · commit 86979fbe0d5b · 2022-04-15T14:19:16.000+02:00
diff --git a/internal/controllers/allocation.go b/internal/controllers/allocation.go
@@ -92,10 +92,8 @@ func GetAllocations(c *gin.Context) {
 
 // GetAllocation retrieves a allocation by its ID.
 func GetAllocation(c *gin.Context) {
-	var allocation models.Allocation
-	err := models.DB.First(&allocation, c.Param("allocationId")).Error
+	allocation, err := getAllocation(c)
 	if err != nil {
-		FetchErrorHandler(c, err)
 		return
 	}
 
diff --git a/internal/controllers/allocation_test.go b/internal/controllers/allocation_test.go
@@ -54,6 +54,22 @@ func TestNoAllocationNotFound(t *testing.T) {
 	test.AssertHTTPStatus(t, http.StatusNotFound, &recorder)
 }
 
+// TestAllocationInvalidIDs verifies that on non-number requests for allocation IDs,
+// the API returs a Bad Request status code.
+func TestAllocationInvalidIDs(t *testing.T) {
+	r := test.Request(t, "GET", "/v1/budgets/1/categories/1/envelopes/1/allocations/-2", "")
+	test.AssertHTTPStatus(t, http.StatusBadRequest, &r)
+
+	r = test.Request(t, "GET", "/v1/budgets/1/categories/1/envelopes/1/allocations/RoadWorkAhead", "")
+	test.AssertHTTPStatus(t, http.StatusBadRequest, &r)
+
+	r = test.Request(t, "GET", "/v1/budgets/1/categories/1/envelopes/-755/allocations/1", "")
+	test.AssertHTTPStatus(t, http.StatusBadRequest, &r)
+
+	r = test.Request(t, "GET", "/v1/budgets/1/categories/1/envelopes/WhatDoYourElfEyesSee/allocations/1", "")
+	test.AssertHTTPStatus(t, http.StatusBadRequest, &r)
+}
+
 // TestNonexistingEnvelopeAllocations404 is a regression test for https://github.com/envelope-zero/backend/issues/89.
 //
 // It verifies that for a non-existing envelope, no matter if the category or budget exists,
@@ -81,6 +97,25 @@ func TestNonexistingBudgetAllocations404(t *testing.T) {
 	test.AssertHTTPStatus(t, http.StatusNotFound, &recorder)
 }
 
+// TestAllocationParentChecked is a regression test for https://github.com/envelope-zero/backend/issues/90.
+//
+// It verifies that the allocations details endpoint for an envelope only returns allocations that belong to the
+// envelope.
+func TestAllocationParentChecked(t *testing.T) {
+	r := test.Request(t, "POST", "/v1/budgets/1/categories/1/envelopes", `{ "name": "Testing envelope" }`)
+	test.AssertHTTPStatus(t, http.StatusCreated, &r)
+
+	var envelope EnvelopeDetailResponse
+	test.DecodeResponse(t, &r, &envelope)
+
+	path := fmt.Sprintf("/v1/budgets/1/categories/1/envelopes/%v", envelope.Data.ID)
+	r = test.Request(t, "GET", path+"/allocations/1", "")
+	test.AssertHTTPStatus(t, http.StatusNotFound, &r)
+
+	r = test.Request(t, "DELETE", path, "")
+	test.AssertHTTPStatus(t, http.StatusNoContent, &r)
+}
+
 func TestCreateAllocation(t *testing.T) {
 	recorder := test.Request(t, "POST", "/v1/budgets/1/categories/1/envelopes/1/allocations", `{ "month": 10, "year": 2022, "amount": 15.42 }`)
 	test.AssertHTTPStatus(t, http.StatusCreated, &recorder)
diff --git a/internal/controllers/helper.go b/internal/controllers/helper.go
@@ -167,6 +167,34 @@ func getEnvelope(c *gin.Context) (models.Envelope, error) {
 	return envelope, nil
 }
 
+// getAllocation verifies that the request URI is valid for the transaction and returns it.
+func getAllocation(c *gin.Context) (models.Allocation, error) {
+	var allocation models.Allocation
+
+	envelope, err := getEnvelope(c)
+	if err != nil {
+		return models.Allocation{}, err
+	}
+
+	allocationID, err := parseID(c, "allocationId")
+	if err != nil {
+		return models.Allocation{}, err
+	}
+
+	err = models.DB.First(&allocation, &models.Allocation{
+		EnvelopeID: envelope.ID,
+		Model: models.Model{
+			ID: allocationID,
+		},
+	}).Error
+	if err != nil {
+		FetchErrorHandler(c, err)
+		return models.Allocation{}, err
+	}
+
+	return allocation, nil
+}
+
 // getTransaction verifies that the request URI is valid for the transaction and returns it.
 func getTransaction(c *gin.Context) (models.Transaction, error) {
 	var transaction models.Transaction
