From ea13241317a15a78f2baf4e8229f607ef9141e45 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Fern=C3=A1ndez=20Poyatos?= Date: Fri, 20 Dec 2024 15:01:23 +0100 Subject: [PATCH] fix(users): fix /users/me behavior when having more than 1 users in the same tenant (#6284) --- .../tests/integration/test_authentication.py | 85 ++++++++++++++++++- api/src/backend/api/v1/views.py | 6 +- 2 files changed, 86 insertions(+), 5 deletions(-) diff --git a/api/src/backend/api/tests/integration/test_authentication.py b/api/src/backend/api/tests/integration/test_authentication.py index 63bd2066dc6..85dbbad315a 100644 --- a/api/src/backend/api/tests/integration/test_authentication.py +++ b/api/src/backend/api/tests/integration/test_authentication.py @@ -1,9 +1,8 @@ import pytest +from conftest import TEST_PASSWORD, get_api_tokens, get_authorization_header from django.urls import reverse from rest_framework.test import APIClient -from conftest import TEST_PASSWORD, get_api_tokens, get_authorization_header - @pytest.mark.django_db def test_basic_authentication(): @@ -96,3 +95,85 @@ def test_refresh_token(create_test_user, tenants_fixture): format="vnd.api+json", ) assert new_refresh_response.status_code == 200 + + +@pytest.mark.django_db +def test_user_me_when_inviting_users(create_test_user, tenants_fixture, roles_fixture): + client = APIClient() + + role = roles_fixture[0] + + user1_email = "user1@testing.com" + user2_email = "user2@testing.com" + + password = "thisisapassword123" + + user1_response = client.post( + reverse("user-list"), + data={ + "data": { + "type": "users", + "attributes": { + "name": "user1", + "email": user1_email, + "password": password, + }, + } + }, + format="vnd.api+json", + ) + assert user1_response.status_code == 201 + + user1_access_token, _ = get_api_tokens(client, user1_email, password) + user1_headers = get_authorization_header(user1_access_token) + + user2_invitation = client.post( + reverse("invitation-list"), + data={ + "data": { + "type": "invitations", + "attributes": {"email": user2_email}, + "relationships": { + "roles": { + "data": [ + { + "type": "roles", + "id": str(role.id), + } + ] + } + }, + } + }, + format="vnd.api+json", + headers=user1_headers, + ) + assert user2_invitation.status_code == 201 + invitation_token = user2_invitation.json()["data"]["attributes"]["token"] + + user2_response = client.post( + reverse("user-list") + f"?invitation_token={invitation_token}", + data={ + "data": { + "type": "users", + "attributes": { + "name": "user2", + "email": user2_email, + "password": password, + }, + } + }, + format="vnd.api+json", + ) + assert user2_response.status_code == 201 + + user2_access_token, _ = get_api_tokens(client, user2_email, password) + user2_headers = get_authorization_header(user2_access_token) + + user1_me = client.get(reverse("user-me"), headers=user1_headers) + assert user1_me.status_code == 200 + assert user1_me.json()["data"]["attributes"]["email"] == user1_email + + user2_me = client.get(reverse("user-me"), headers=user2_headers) + assert user2_me.status_code == 200 + assert user2_me.json()["data"]["attributes"]["email"] == user2_email diff --git a/api/src/backend/api/v1/views.py b/api/src/backend/api/v1/views.py index cc4e4f507d5..c23a650ad98 100644 --- a/api/src/backend/api/v1/views.py +++ b/api/src/backend/api/v1/views.py @@ -98,9 +98,9 @@ OverviewServiceSerializer, OverviewSeveritySerializer, ProviderCreateSerializer, + ProviderGroupCreateSerializer, ProviderGroupMembershipSerializer, ProviderGroupSerializer, - ProviderGroupCreateSerializer, ProviderGroupUpdateSerializer, ProviderSecretCreateSerializer, ProviderSecretSerializer, @@ -192,7 +192,7 @@ class SchemaView(SpectacularAPIView): def get(self, request, *args, **kwargs): spectacular_settings.TITLE = "Prowler API" - spectacular_settings.VERSION = "1.1.0" + spectacular_settings.VERSION = "1.1.1" spectacular_settings.DESCRIPTION = ( "Prowler API specification.\n\nThis file is auto-generated." ) @@ -328,7 +328,7 @@ def get_serializer_class(self): @action(detail=False, methods=["get"], url_name="me") def me(self, request): - user = self.get_queryset().first() + user = self.request.user serializer = UserSerializer(user, context=self.get_serializer_context()) return Response( data=serializer.data,