From 4323218ff378a99977ef1d5732100d09064e2ccc Mon Sep 17 00:00:00 2001 From: davelopez <46503462+davelopez@users.noreply.github.com> Date: Mon, 20 Jan 2025 11:57:13 +0100 Subject: [PATCH] Add test to ensure other users cannot list credentials --- test/integration/test_credentials.py | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/test/integration/test_credentials.py b/test/integration/test_credentials.py index f3edf266a080..6967f3c7a67b 100644 --- a/test/integration/test_credentials.py +++ b/test/integration/test_credentials.py @@ -39,6 +39,23 @@ def test_list_user_credentials(self): assert len(list_user_credentials) == 1 assert list_user_credentials[0]["source_id"] == source_id + def test_other_users_cannot_list_credentials(self): + source_id = f"test_others_cant_list_credentials_{uuid4()}" + payload = self._build_credentials_payload(source_id=source_id) + self._provide_user_credentials(payload) + + response = self._get(f"/api/users/current/credentials?source_type=tool&source_id={source_id}") + self._assert_status_code_is(response, 200) + list_user_credentials = response.json() + assert len(list_user_credentials) == 1 + assert list_user_credentials[0]["source_id"] == source_id + + with self._different_user(): + response = self._get(f"/api/users/current/credentials?source_type=tool&source_id={source_id}") + self._assert_status_code_is(response, 200) + list_user_credentials = response.json() + assert len(list_user_credentials) == 0 + def test_list_by_source_id_requires_source_type(self): response = self._get("/api/users/current/credentials?source_id=test_tool") self._assert_status_code_is(response, 400)