test: add failing test for project background delete with read-only access

Proves that a user with read-only access to a project can delete its
background image. The test expects a 403 Forbidden but the operation
proceeds because RemoveProjectBackground only checks CanRead.

Adds fixture entry giving user 15 read-only access to project 35
(which has a background_file_id).

Ref: GHSA-564f-wx8x-878h
This commit is contained in:
kolaente 2026-03-20 10:14:35 +01:00 committed by kolaente
parent bc6d843ed4
commit f60f3af70b
2 changed files with 53 additions and 0 deletions

View File

@ -112,3 +112,9 @@
permission: 0
updated: 2018-12-02 15:13:12
created: 2018-12-01 15:13:12
- id: 20
user_id: 15
project_id: 35
permission: 0
updated: 2018-12-02 15:13:12
created: 2018-12-01 15:13:12

View File

@ -0,0 +1,47 @@
// Vikunja is a to-do list application to facilitate your life.
// Copyright 2018-present Vikunja and contributors. All rights reserved.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
package webtests
import (
"net/http"
"testing"
bgHandler "code.vikunja.io/api/pkg/modules/background/handler"
"github.com/stretchr/testify/assert"
)
func TestProjectBackgroundDeletePermission(t *testing.T) {
t.Run("Read-only user cannot delete project background", func(t *testing.T) {
// testuser15 has read-only access (permission: 0) to project 35,
// which has background_file_id: 1.
// Deleting the background should require write access.
_, err := newTestRequestWithUser(
t,
http.MethodDelete,
bgHandler.RemoveProjectBackground,
&testuser15,
"",
nil,
map[string]string{"project": "35"},
)
// Should be forbidden for a read-only user
assert.Error(t, err)
assert.Equal(t, http.StatusForbidden, getHTTPErrorCode(err))
})
}