Explicitly raise 405 on unimpleneted method calls (#514)

DavidMStraub · web-flow · commit ac1b9e37dde1 · 2024-04-28T09:58:11.000+02:00
* Raise 405 by default

* Fix test

* Fix test
diff --git a/gramps_webapi/api/resources/__init__.py b/gramps_webapi/api/resources/__init__.py
@@ -19,6 +19,7 @@
 
 """API resource endpoints."""
 
+from flask import abort
 from flask.views import MethodView
 
 from ..auth import (
@@ -32,6 +33,26 @@
 class Resource(MethodView):
     """Base class for API resources."""
 
+    def get(self, *args, **kwargs):
+        """Default GET endpoint."""
+        abort(405)
+
+    def put(self, *args, **kwargs):
+        """Default PUT endpoint."""
+        abort(405)
+
+    def post(self, *args, **kwargs):
+        """Default POST endpoint."""
+        abort(405)
+
+    def delete(self, *args, **kwargs):
+        """Default DELETE endpoint."""
+        abort(405)
+
+    def patch(self, *args, **kwargs):
+        """Default PATCH endpoint."""
+        abort(405)
+
 
 class ProtectedResource(Resource):
     """Resource requiring JWT authentication."""
diff --git a/tests/test_endpoints/test_user.py b/tests/test_endpoints/test_user.py
@@ -112,8 +112,16 @@ def tearDown(self):
         self.dbman.remove_database(self.name)
 
     def test_change_password_wrong_method(self):
-        rv = self.client.get(BASE_URL + "/users/-/password/change")
-        assert rv.status_code == 404
+        rv = self.client.post(
+            BASE_URL + "/token/", json={"username": "user", "password": "123"}
+        )
+        assert rv.status_code == 200
+        token = rv.json["access_token"]
+        rv = self.client.get(
+            BASE_URL + "/users/-/password/change",
+            headers={"Authorization": f"Bearer {token}"},
+        )
+        assert rv.status_code == 405
 
     def test_change_password_no_token(self):
         rv = self.client.post(
