added tests to check for unauthorized access

CNAG-Biomedical-Informatics · Dec 8, 2023 · 1b7f994 · 1b7f994
1 parent 6dc81b3
commit 1b7f994
Show file tree

Hide file tree

Showing 5 changed files with 48 additions and 5 deletions.
diff --git a/convertPheno_server/makefile b/convertPheno_server/makefile
@@ -17,8 +17,11 @@ install:
 	pip install --upgrade .
 
 .PHONY: .venv
-venv:
-	python3 -m venv .venv && source venv/bin/activate && pip3 install -r requirements-mini.txt
+venv:|
+	python3 -m venv .venv && \
+	source .venv/bin/activate && \
+	pip3 install --upgrade pip && \
+	pip3 install -r requirements.txt
 
 db-run:
 	docker run --name cp-pg -e POSTGRES_PASSWORD=postgres -d postgres

diff --git a/convertPheno_server/server/apis/submission.py b/convertPheno_server/server/apis/submission.py
@@ -456,15 +456,15 @@ def post(self, userid, uuid):
         """
         user = db.session.query(User).filter_by(name=userid).one_or_none()
         if user is None:
-            return {"message": "User does not exist"}, 404
+            return {"message": "User not found"}, 404
 
         data = request.get_json()
         job_id = data["jobId"]
         job = (
             db.session.query(Job).filter_by(job_id=job_id, owner=user.id).one_or_none()
         )
         if job is None:
-            return {"message": "Job does not exist"}, 404
+            return {"message": "Job not found"}, 404
 
         if data.get("downloadAllFiles"):
             mem_zip = downloadAllFiles(data, job.id)

diff --git a/convertPheno_server/tests/conftest.py b/convertPheno_server/tests/conftest.py
@@ -49,6 +49,11 @@ def header_2():
     return get_header("test2", DevelopmentConfig)
 
 
+@pytest.fixture(scope="session")
+def header_3():
+    return get_header("test3", DevelopmentConfig)
+
+
 @pytest.fixture(autouse=True)
 def app_context():
     with app.app_context():

diff --git a/convertPheno_server/tests/test_clinical.py b/convertPheno_server/tests/test_clinical.py
@@ -57,6 +57,14 @@ def test_conversion_job_not_exist(self, client, header):
         assert res.status_code == 404
         assert res.json["message"] == "job not found"
 
+    def test_user_not_exist(self, client, header, header_2):
+        convert_clinical_data(client, header)
+        data = deepcopy(default_data)
+        data["jobId"] = "1234"
+        res = req_post(client, header_2, url_suffix, data=data)
+        assert res.status_code == 404
+        assert res.json["message"] == "User not found"
+
     def test_conversion_clinical_data_not_found(self, client, header):
         job_id = convert_clinical_data(client, header)
         data = deepcopy(default_data)
@@ -73,6 +81,20 @@ def test_conversion_results_wrong_schema(self, client, header):
         assert res.status_code == 400
         assert res.json["message"] == "Input payload validation failed"
 
+    def test_conversion_results_user_not_authorized(self, client, header, header_3):
+        # Simulate user tries to access the conversion results of another user
+
+        # to create another  user
+        convert_clinical_data(client, header_3)
+
+        job_id = convert_clinical_data(client, header)
+        data = deepcopy(default_data)
+        data["jobId"] = str(job_id)
+        res = req_post(client, header_3, url_suffix, data=data)
+        # Assert that the server responds with an error or access denied message
+        assert res.status_code == 404  # HTTP Forbidden status code
+        assert res.json["message"] == "job not found"
+
 
 class TestClinicalFilteringClass:
     def test_filter_by_exact_match(self, client, header):

diff --git a/convertPheno_server/tests/test_download.py b/convertPheno_server/tests/test_download.py
@@ -4,7 +4,7 @@
 #
 #   This file is part of convert-pheno-ui
 #
-#   Last Modified: Apr/28/2023
+#   Last Modified: Apr/08/2023
 #
 #   Copyright (C) 2022-2023 Ivo Christopher Leist - CNAG (Ivo.leist@cnag.eu)
 #
@@ -63,6 +63,19 @@ def test_download_results_clinical_data_not_found(self, client, header):
         assert res.status_code == 404
         assert res.json["message"] == "clinical data not found"
 
+    def test_download_results_user_not_authorized(self, client, header, header_3):
+        # Simulate user tries to download the conversion results of another user
+
+        # to create another  user
+        convert_clinical_data(client, header_3)
+
+        job_id = convert_clinical_data(client, header)
+        data = deepcopy(default_data)
+        data["jobId"] = job_id
+        res = req_post(client, header_3, download_url_suffix, data=data)
+        assert res.status_code == 404
+        assert res.json["message"] == "Job not found"
+
     def test_download_all_results(self, client, header):
         data = {
             "runExampleData": True,