ulysses/tests
Ernest Hysa 360bc83a66
fix(history): scope topic analysis to authenticated owner only (#744)
Two changes close the cross-tenant topic leak in /api/conversations/topics.

The route at routes/history_routes.py:478 used get_current_user, which
returns None when no auth middleware has set request.state.current_user
(loopback-bypass, AUTH_ENABLED=false, or any path that short-circuits the
middleware). It then forwarded owner=None to analyze_topics.

The helper at src/topic_analyzer.py:21 used an 'if owner:' short-circuit
in its owner filter, so the None owner took the no-filter path and the
helper silently aggregated topic frequencies and per-snippet session_id,
session_name, role, and snippet text across every user's sessions.

analyze_topics now returns an empty result when owner is falsy. The
inner short-circuit is removed because the filter is now strict by
construction. The route is switched to require_user, which raises 401
when auth_manager.is_configured is True and the caller is anonymous,
matching the pattern used by calendar_routes, skills_routes, and other
authenticated routes.

The test test_history_topics_owner_scope.py was rewritten to drive the
real route through FastAPI's TestClient with a stub AuthMiddleware that
mirrors the loopback-bypass branch, and now asserts a strict 401 from
the route and an empty result from the helper. The previous version of
the test accepted either a 200-with-empty-topics or a 401; the strict
assertion means a future regression that drops the require_user wrapper
or re-adds the inner short-circuit is caught immediately.
2026-06-02 11:36:01 +09:00
..
bombadil-spec.ts Odysseus v1.0 2026-05-31 23:58:26 +09:00
conftest.py Odysseus v1.0 2026-05-31 23:58:26 +09:00
test_action_intents.py Route calendar action requests to tools 2026-06-01 14:32:41 +09:00
test_agent_loop.py Fix tool-calling HTTP 400 on Gemini and Ollama: send null, not empty, assistant content 2026-06-02 00:34:51 +00:00
test_app.py Fix fresh checkout test failures 2026-06-01 02:22:17 +00:00
test_app_static_mime.py fix: normalize JS static MIME types on Windows 2026-06-02 01:32:00 +02:00
test_auth_event_loop.py Stabilize security regression tests 2026-06-02 05:48:59 +09:00
test_auth_regressions.py Add native Windows compatibility layer 2026-06-01 15:09:47 +09:00
test_auth_session_revocation.py Stabilize auth session revocation tests 2026-06-02 06:02:49 +09:00
test_backup_cli_security.py Harden backup restore tar extraction 2026-06-02 05:55:03 +09:00
test_calendar_owner_scope.py Stabilize security regression tests 2026-06-02 05:48:59 +09:00
test_calendar_recurrence.py Fix YEARLY recurring CalDAV events only showing on DTSTART year (#179) 2026-06-01 13:42:44 +09:00
test_chat_stream_scope.py Fix chat stream recovery and PDF library indexing (#468) 2026-06-01 22:33:35 +09:00
test_chroma_client.py fix: ChromaDB unreachable blocks app startup for 30-60s (#326) (#476) 2026-06-01 22:22:41 +09:00
test_companion_readonly.py Add read-only companion endpoints (ping/info/owner-scoped models) (#863) 2026-06-02 11:20:53 +09:00
test_compare_js.py Fix duplicate compare modal on repeated clicks (#491) 2026-06-01 22:24:27 +09:00
test_context_compactor.py Preserve large pasted messages in context 2026-06-01 12:38:35 +09:00
test_cookbook_helpers.py Fix cookbook pip installs in venvs (#723) 2026-06-02 11:31:59 +09:00
test_deep_research_extraction_controls.py Add Deep Research extraction controls 2026-06-01 14:55:33 +09:00
test_document_tool_owner_scope.py Scope document tools to caller owner 2026-06-02 06:00:02 +09:00
test_endpoint_resolver.py Never resolve to a disabled endpoint model (#861) 2026-06-02 11:10:43 +09:00
test_esc_menu_stack_js.py fix: make transient dropdown/popup menus close on Escape 2026-06-01 14:23:22 -04:00
test_gallery_image_privileges.py Gate image editor AI endpoints by privilege (#447) 2026-06-01 22:35:24 +09:00
test_history_topics_owner_scope.py fix(history): scope topic analysis to authenticated owner only (#744) 2026-06-02 11:36:01 +09:00
test_hwfit_macos.py fix: require GGUF sources for llama downloads (#368) 2026-06-01 22:47:47 +09:00
test_keybind_altgr_js.py Ignore AltGr keystrokes in Ctrl+Alt keyboard shortcuts (#825) 2026-06-02 11:12:54 +09:00
test_llm_core_anthropic_cache.py Add Anthropic prompt caching to the agent loop (#812) 2026-06-02 11:14:31 +09:00
test_llm_core_concurrency.py Make LLM host health maps thread-safe 2026-06-02 05:54:23 +09:00
test_llm_core_ollama.py feat(ai): add OpenRouter and Ollama Cloud providers (#231) 2026-06-01 14:26:10 +09:00
test_llm_core_sanitize_tool_calls.py Keep no-prose assistant tool-call messages through _sanitize_llm_messages (#862) 2026-06-02 11:17:22 +09:00
test_markitdown_runtime.py Add optional markitdown extraction for Office/EPUB documents (#766) 2026-06-02 11:28:52 +09:00
test_memory_extractor_vector_degraded.py fix: data integrity — deep-research result parsing + memory-extraction durability (#808) 2026-06-02 11:27:31 +09:00
test_model_context.py Refresh local model context after restart 2026-06-02 05:54:06 +09:00
test_model_routes.py Improve Ollama endpoint error messages 2026-06-02 05:53:50 +09:00
test_null_owner_gates.py Fix test suite: ESM module loading and stub isolation (#844) 2026-06-02 11:29:29 +09:00
test_pdf_runtime.py Show a clear message when PyMuPDF is missing 2026-06-01 18:27:17 +09:00
test_personal_docs_office_index.py Add optional markitdown extraction for Office/EPUB documents (#766) 2026-06-02 11:28:52 +09:00
test_personal_docs_pdf_index.py Fix chat stream recovery and PDF library indexing (#468) 2026-06-01 22:33:35 +09:00
test_personal_upload_isolation.py Scope personal RAG uploads by owner (#446) 2026-06-01 22:36:53 +09:00
test_provider_detection.py Provider detection: match by hostname instead of substring (re #768) (#815) 2026-06-02 11:11:17 +09:00
test_rate_limiter.py Odysseus v1.0 2026-05-31 23:58:26 +09:00
test_reply_recipients_js.py Keep Cc recipients in reply-all 2026-06-01 18:29:22 +09:00
test_research_query_fallback.py Deep research: don't treat a bare 'yes' as the research topic (#858) 2026-06-02 11:30:53 +09:00
test_research_service.py fix: data integrity — deep-research result parsing + memory-extraction durability (#808) 2026-06-02 11:27:31 +09:00
test_research_session_id_validation.py fix(research): validate session_id to block path traversal 2026-06-01 23:25:38 +01:00
test_research_utils.py fix: deep research discards valid sources mentioning cookies/copyright (#481) 2026-06-01 22:26:37 +09:00
test_reserved_username_admin_escalation.py Reserve internal sentinel usernames 2026-06-02 05:58:58 +09:00
test_review_regressions.py Restrict provider discovery to admins 2026-06-02 05:54:40 +09:00
test_search_cache_invalidation.py Fix invalidate_search_cache using a key that never matches stored entries (#852) 2026-06-02 10:53:33 +09:00
test_search_query.py Fix year extraction in research queries 2026-06-01 23:09:41 +09:00
test_search_ranking.py Odysseus v1.0 2026-05-31 23:58:26 +09:00
test_security_regressions.py Honor AUTH_ENABLED=false in route-level auth gate (#785) 2026-06-02 11:23:47 +09:00
test_session_mode_helpers.py Fix database stubs in regression tests (#301) 2026-06-01 16:55:09 +09:00
test_settings_scrub.py Deep-scrub secrets from public settings 2026-06-01 23:11:50 +09:00
test_setup_admin_user.py Normalize setup admin username (#448) 2026-06-01 22:38:56 +09:00
test_shell_routes.py Harden Cookbook package SSH probe 2026-06-01 22:44:34 +09:00
test_skill_index_prompt_injection.py fix(agent-loop): wrap matched skills + skill index in untrusted user-role message (#788) 2026-06-02 11:15:45 +09:00
test_skills_manager_owner_isolation.py fix(skills): scope skill reads to caller owner (#777) 2026-06-02 11:21:27 +09:00
test_speech_service_toggles.py Honor disabled speech service toggles (#814) 2026-06-02 10:44:39 +09:00
test_task_scheduler_session_delivery.py Fix test suite: ESM module loading and stub isolation (#844) 2026-06-02 11:29:29 +09:00
test_vision_model_detection.py Recognize local vision models so their images aren't dropped (#185) 2026-06-01 13:09:21 +09:00
test_visual_report.py Fix visual report chapter navigation (#505) 2026-06-01 22:26:13 +09:00
test_webhook_trigger_auth_exempt.py Exempt task webhook trigger from session auth (#784) 2026-06-02 11:23:40 +09:00