File size: 2,387 Bytes
310260a | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 | """
Security Tests for delete_task Tool
Validates security aspects of delete_task tool:
- Task ownership enforcement
- Cross-user access prevention
"""
import pytest
from src.tools.delete_task import delete_task_internal
from tests.utils.task_helpers import create_test_task, get_task_by_id
@pytest.mark.security
@pytest.mark.asyncio
async def test_delete_task_enforces_task_ownership(mock_mcp_context, mock_mcp_context_user2, test_session):
"""
Test: delete_task enforces task ownership
Verifies that users can only delete their own tasks.
"""
# Setup: Create tasks for both users
user1_task = create_test_task(test_session, mock_mcp_context.user_id, title="User 1 Task")
user2_task = create_test_task(test_session, mock_mcp_context_user2.user_id, title="User 2 Task")
# User 1 deletes their own task (should succeed)
result1 = await delete_task_internal(
ctx=mock_mcp_context,
task_id=user1_task.id
)
assert result1["status"] == "success"
# User 1 tries to delete user 2's task (should fail)
result2 = await delete_task_internal(
ctx=mock_mcp_context,
task_id=user2_task.id
)
assert result2["status"] == "error"
assert "not found" in result2["error"].lower()
# Verify user 2's task still exists
unchanged_task = get_task_by_id(test_session, user2_task.id)
assert unchanged_task is not None
@pytest.mark.security
@pytest.mark.asyncio
async def test_delete_task_with_user1_context_cannot_delete_user2_task(mock_mcp_context, mock_mcp_context_user2, test_session):
"""
Test: delete_task with user1 context cannot delete user2 task
Verifies complete isolation - user 1 cannot delete user 2's tasks.
"""
# Setup: Create task for user 2
user2_task = create_test_task(
test_session,
mock_mcp_context_user2.user_id,
title="User 2 Important Task"
)
# User 1 attempts to delete user 2's task
result = await delete_task_internal(
ctx=mock_mcp_context,
task_id=user2_task.id
)
# Assert - should fail
assert result["status"] == "error"
assert "not found" in result["error"].lower()
# Verify user 2's task still exists
unchanged_task = get_task_by_id(test_session, user2_task.id)
assert unchanged_task is not None
assert unchanged_task.title == "User 2 Important Task"
|