Fix cross-user job history leak

2026-04-11 17:05:52 +02:00
parent 41595605b9
commit 811963749e
4 changed files with 227 additions and 0 deletions
@@ -0,0 +1,63 @@
+using JobTrackerApi.Controllers;
+using JobTrackerApi.Data;
+using JobTrackerApi.Models;
+using JobTrackerApi.Services;
+using JobTrackerApi.Tests.TestSupport;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.Logging.Abstractions;
+using Moq;
+using Xunit;
+
+namespace JobTrackerApi.Tests;
+
+public sealed class JobApplicationsAuthorizationTests
+{
+    [Fact]
+    public async Task GetHistory_returns_not_found_for_other_users_job()
+    {
+        var dbName = Guid.NewGuid().ToString();
+        await using var ownerDb = CreateDb(dbName, "owner-1");
+        var company = new Company { Name = "Acme", OwnerUserId = "owner-1" };
+        ownerDb.Companies.Add(company);
+        await ownerDb.SaveChangesAsync();
+
+        var job = new JobApplication { JobTitle = "Secret Job", CompanyId = company.Id, OwnerUserId = "owner-1" };
+        ownerDb.JobApplications.Add(job);
+        await ownerDb.SaveChangesAsync();
+
+        ownerDb.JobEvents.Add(new JobEvent { JobApplicationId = job.Id, Type = "Created", Note = "owner only" });
+        await ownerDb.SaveChangesAsync();
+
+        await using var attackerDb = CreateDb(dbName, "other-user");
+        var controller = CreateController(attackerDb);
+
+        var result = await controller.GetHistory(job.Id, CancellationToken.None);
+
+        Assert.IsType<NotFoundResult>(result.Result);
+    }
+
+    private static JobTrackerContext CreateDb(string dbName, string? userId)
+    {
+        var options = new DbContextOptionsBuilder<JobTrackerContext>()
+            .UseInMemoryDatabase(dbName)
+            .Options;
+        var currentUser = new Mock<ICurrentUserService>();
+        currentUser.SetupGet(service => service.UserId).Returns(userId);
+        return new JobTrackerContext(options, currentUser.Object);
+    }
+
+    private static JobApplicationsController CreateController(JobTrackerContext db)
+    {
+        var summarizer = new Mock<ISummarizerService>();
+        var users = TestHostFactory.CreateUserManager();
+        return new JobApplicationsController(db, summarizer.Object, Mock.Of<IAppEmailSender>(), users.Object, NullLogger<JobApplicationsController>.Instance)
+        {
+            ControllerContext = new ControllerContext
+            {
+                HttpContext = new DefaultHttpContext()
+            }
+        };
+    }
+}