fix: check parent for category

morremeyer · morremeyer · commit 89d7b112ede1 · 2022-04-15T14:19:16.000+02:00
diff --git a/internal/controllers/category_test.go b/internal/controllers/category_test.go
@@ -55,7 +55,13 @@ func TestCategoryInvalidIDs(t *testing.T) {
 	r := test.Request(t, "GET", "/v1/budgets/1/categories/-557", "")
 	test.AssertHTTPStatus(t, http.StatusBadRequest, &r)
 
-	r = test.Request(t, "GET", "/v1/budgets/1/categories/HanShotFirst", "")
+	r = test.Request(t, "GET", "/v1/budgets/1/categories/NFTsAreAScam", "")
+	test.AssertHTTPStatus(t, http.StatusBadRequest, &r)
+
+	r = test.Request(t, "GET", "/v1/budgets/-574/categories/56", "")
+	test.AssertHTTPStatus(t, http.StatusBadRequest, &r)
+
+	r = test.Request(t, "GET", "/v1/budgets/NoReallyNFTsAreAScam/categories/1", "")
 	test.AssertHTTPStatus(t, http.StatusBadRequest, &r)
 }
 
@@ -68,6 +74,25 @@ func TestNonexistingBudgetCategories404(t *testing.T) {
 	test.AssertHTTPStatus(t, http.StatusNotFound, &recorder)
 }
 
+// TestCategoryParentChecked is a regression test for https://github.com/envelope-zero/backend/issues/90.
+//
+// It verifies that the category details endpoint for a budget only returns categorys that belong to the
+// budget.
+func TestCategoryParentChecked(t *testing.T) {
+	r := test.Request(t, "POST", "/v1/budgets", `{ "name": "New Budget", "note": "More tests something something" }`)
+	test.AssertHTTPStatus(t, http.StatusCreated, &r)
+
+	var budget BudgetDetailResponse
+	test.DecodeResponse(t, &r, &budget)
+
+	path := fmt.Sprintf("/v1/budgets/%v", budget.Data.ID)
+	r = test.Request(t, "GET", path+"/categories/1", "")
+	test.AssertHTTPStatus(t, http.StatusNotFound, &r)
+
+	r = test.Request(t, "DELETE", path, "")
+	test.AssertHTTPStatus(t, http.StatusNoContent, &r)
+}
+
 func TestCreateCategory(t *testing.T) {
 	recorder := test.Request(t, "POST", "/v1/budgets/1/categories", `{ "name": "New Category", "note": "More tests something something" }`)
 	test.AssertHTTPStatus(t, http.StatusCreated, &recorder)
diff --git a/internal/controllers/helper.go b/internal/controllers/helper.go
@@ -118,12 +118,13 @@ func getCategory(c *gin.Context) (models.Category, error) {
 		return models.Category{}, err
 	}
 
-	_, err = getBudget(c)
+	budget, err := getBudget(c)
 	if err != nil {
 		return models.Category{}, err
 	}
 
 	err = models.DB.Where(&models.Category{
+		BudgetID: budget.ID,
 		Model: models.Model{
 			ID: categoryID,
 		},

Original file line number	Diff line number	Diff line change
`@@ -118,12 +118,13 @@ func getCategory(c *gin.Context) (models.Category, error) {`
`118`	`118`	`return models.Category{}, err`
`119`	`119`	`}`
`120`	`120`
`121`		`- _, err = getBudget(c)`
	`121`	`+ budget, err := getBudget(c)`
`122`	`122`	`if err != nil {`
`123`	`123`	`return models.Category{}, err`
`124`	`124`	`}`
`125`	`125`
`126`	`126`	`err = models.DB.Where(&models.Category{`
	`127`	`+ BudgetID: budget.ID,`
`127`	`128`	`Model: models.Model{`
`128`	`129`	`ID: categoryID,`
`129`	`130`	`},`