clone/vikunja
1
0
Fork 0
mirror of https://github.com/go-vikunja/vikunja.git synced 2026-05-02 09:56:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

test: add failing test for task comment IDOR

Browse Source 
Proves that a user can read a comment from an inaccessible task by
supplying an accessible task ID in the URL. Comment 18 belongs to
task 34 (owned by user 13), but testuser1 can read it via task 1.

Ref: GHSA-mr3j-p26x-72x4
This commit is contained in:
kolaente
2026-03-20 10:12:27 +01:00
committed by kolaente
parent be0aaa7060
commit 2da89258e5
1 changed files with 23 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
pkg/webtests/task_comment_test.go
View File

@@ -311,3 +311,26 @@ func TestTaskComments(t *testing.T) {
})
})
}
func TestTaskCommentIDOR(t *testing.T) {
t.Run("Cannot read comment from inaccessible task via accessible task ID", func(t *testing.T) {
// Comment 18 belongs to task 34 (owned by user 13, inaccessible to testuser1).
// Task 1 is accessible to testuser1.
// Requesting GET /tasks/1/comments/18 should fail because the comment
// does not belong to task 1.
testHandler := webHandlerTest{
user: &testuser1,
strFunc: func() handler.CObject {
return &models.TaskComment{}
},
t: t,
}
_, err := testHandler.testReadOneWithUser(nil, map[string]string{
"task": "1", // task accessible to testuser1
"commentid": "18", // comment belonging to task 34, NOT accessible to testuser1
})
assert.Error(t, err)
assertHandlerErrorCode(t, err, models.ErrCodeTaskCommentDoesNotExist)
})
}