From 4541f90ce8c4a3ef02c084b923cc9c42208c97cd Mon Sep 17 00:00:00 2001 From: Marcel Date: Fri, 12 Jun 2026 11:40:44 +0200 Subject: [PATCH] test(geschichte): add security regression tests for CWE-639 null-status and DRAFT scoping Co-Authored-By: Claude Sonnet 4.6 --- .../geschichte/GeschichteServiceTest.java | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/backend/src/test/java/org/raddatz/familienarchiv/geschichte/GeschichteServiceTest.java b/backend/src/test/java/org/raddatz/familienarchiv/geschichte/GeschichteServiceTest.java index 86cdd2a2..261b5bd9 100644 --- a/backend/src/test/java/org/raddatz/familienarchiv/geschichte/GeschichteServiceTest.java +++ b/backend/src/test/java/org/raddatz/familienarchiv/geschichte/GeschichteServiceTest.java @@ -307,6 +307,32 @@ class GeschichteServiceTest { assertThat(out).hasSizeLessThanOrEqualTo(200); } + @Test + @DisplayName("security: null status for blog writer returns PUBLISHED, never leaks drafts") + void list_with_blog_writer_and_null_status_returns_PUBLISHED_not_all_drafts() { + authenticateAs(writer, Permission.BLOG_WRITE); + when(geschichteRepository.findSummaries(any(), any(), any(), anyLong(), any())) + .thenReturn(List.of()); + + geschichteService.list(null, List.of(), null, 50); + + verify(geschichteRepository).findSummaries( + eq(GeschichteStatus.PUBLISHED), isNull(), any(), anyLong(), any()); + } + + @Test + @DisplayName("security: DRAFT status scopes to current user only") + void list_with_DRAFT_status_scopes_to_current_user_not_all_authors() { + authenticateAs(writer, Permission.BLOG_WRITE); + when(geschichteRepository.findSummaries(any(), any(), any(), anyLong(), any())) + .thenReturn(List.of()); + + geschichteService.list(GeschichteStatus.DRAFT, List.of(), null, 50); + + verify(geschichteRepository).findSummaries( + eq(GeschichteStatus.DRAFT), eq(writer.getId()), any(), anyLong(), any()); + } + // ─── create ────────────────────────────────────────────────────────────── @Test