public async Task EnsureThatExpensesFromOtherAccountsDoNotLeak() { using (var fixture = new GeldAppFixture()) { await fixture.Login("Hans"); // Import. var csv = File.ReadAllBytes("Import/dkb-import-test.csv"); await fixture.PostFileAsync("/api/account/Hans/import/csv", "csvFile", "file.csv", csv); var hansImportedExpense = (await fixture.GetAsync <ImportedExpense[]>("/api/account/Hans/imports/unhandled")).Single(); // Add some expenses. await fixture.AddExpenseAsync("Hans", -12.34M, "Correct", "Subcategory", ex => ex.Date = hansImportedExpense.BookingDay.AddDays(-2).Date); // Get related expenses. var relatedExpenses = await fixture.GetAsync <ExpenseViewModel[]>("/api/account/Hans/expenses?relatedToImportedExpense=" + hansImportedExpense.Id); relatedExpenses.Should().HaveCount(1); relatedExpenses.Single().CategoryName.Should().Be("Correct"); // Login as different user. fixture.Logout(); await fixture.Login("Petra"); // Simple leak. await fixture.ExpectGetAsync("/api/account/Hans/expenses?relatedToImportedExpense=" + hansImportedExpense.Id, HttpStatusCode.Unauthorized); // Leak via related expenses. await fixture.PostFileAsync("/api/account/Petra/import/csv", "csvFile", "file.csv", csv); var petraImportedExpense = (await fixture.GetAsync <ImportedExpense[]>("/api/account/Petra/imports/unhandled")).Single(); var petraRelatedExpenses = await fixture.GetAsync <ExpenseViewModel[]>("/api/account/Petra/expenses?relatedToImportedExpense=" + petraImportedExpense.Id); petraRelatedExpenses.Should().BeEmpty(); // Leak via linking. await fixture.ExpectPostAsync($"/api/account/Hans/import/link?importedExpenseId={hansImportedExpense.Id}&relatedExpenseId={relatedExpenses.Single().Id}", HttpStatusCode.Unauthorized); await fixture.ExpectPostAsync($"/api/account/Petra/import/link?importedExpenseId={hansImportedExpense.Id}&relatedExpenseId={relatedExpenses.Single().Id}", HttpStatusCode.NotFound); // Leak via creating. await fixture.ExpectAddExpenseAsync("Hans", 10, "Cat", "Sub", modCmd : cmd => cmd.HandlesImportedExpenseId = hansImportedExpense.Id, expectedStatus : HttpStatusCode.Unauthorized); await fixture.ExpectAddExpenseAsync("Petra", 10, "Cat", "Sub", modCmd : cmd => cmd.HandlesImportedExpenseId = hansImportedExpense.Id, expectedStatus : HttpStatusCode.NotFound); } }