@@ -2217,6 +2217,51 @@ async def _should_not_call_single_lookup(session_id: str):
22172217 assert called ["batch_lookup_count" ] == 1
22182218
22192219
2220+ @pytest .mark .asyncio
2221+ @pytest .mark .parametrize (
2222+ "path_template" ,
2223+ [
2224+ "/api/chat/get_session?session_id={session_id}" ,
2225+ "/api/v1/chat/sessions/{session_id}" ,
2226+ ],
2227+ )
2228+ async def test_get_chat_session_rejects_session_owned_by_another_user (
2229+ app : FastAPIAppAdapter ,
2230+ authenticated_header : dict ,
2231+ core_lifecycle_td : AstrBotCoreLifecycle ,
2232+ path_template : str ,
2233+ ):
2234+ test_client = app .test_client ()
2235+ session_id = f"foreign_get_session_{ uuid .uuid4 ().hex [:8 ]} "
2236+ await core_lifecycle_td .db .create_platform_session (
2237+ creator = "not_dashboard_user" ,
2238+ platform_id = "webchat" ,
2239+ session_id = session_id ,
2240+ display_name = "Foreign Session" ,
2241+ is_group = 0 ,
2242+ )
2243+ await core_lifecycle_td .platform_message_history_manager .insert (
2244+ platform_id = "webchat" ,
2245+ user_id = session_id ,
2246+ content = {
2247+ "type" : "user" ,
2248+ "message" : [{"type" : "text" , "text" : "foreign session secret" }],
2249+ },
2250+ sender_id = "not_dashboard_user" ,
2251+ sender_name = "not_dashboard_user" ,
2252+ )
2253+
2254+ response = await test_client .get (
2255+ path_template .format (session_id = session_id ),
2256+ headers = authenticated_header ,
2257+ )
2258+
2259+ assert response .status_code == 200
2260+ data = await response .get_json ()
2261+ assert data ["status" ] == "error"
2262+ assert data ["message" ] == "Permission denied"
2263+
2264+
22202265@pytest .mark .asyncio
22212266async def test_plugins (
22222267 app : FastAPIAppAdapter ,
0 commit comments