From 19c313767c153282e3b4f7752c89d57b1cb68007 Mon Sep 17 00:00:00 2001 From: counterweight Date: Sun, 21 Dec 2025 17:28:21 +0100 Subject: [PATCH] Fix: Validate source_date in copy availability endpoint Added validation to ensure source_date is within the allowed range (tomorrow to +30 days) for consistency with target_dates validation. --- backend/routes/availability.py | 3 +++ backend/tests/test_availability.py | 14 ++++++++++++++ 2 files changed, 17 insertions(+) diff --git a/backend/routes/availability.py b/backend/routes/availability.py index 77531e3..a7dd35f 100644 --- a/backend/routes/availability.py +++ b/backend/routes/availability.py @@ -141,6 +141,9 @@ async def copy_availability( """Copy availability from one day to multiple target days.""" min_date, max_date = _get_date_range_bounds() + # Validate source date is in range (for consistency, though DB query would fail anyway) + _validate_date_in_range(request.source_date, min_date, max_date) + # Validate target dates for target_date in request.target_dates: _validate_date_in_range(target_date, min_date, max_date) diff --git a/backend/tests/test_availability.py b/backend/tests/test_availability.py index 49c3e98..4e08ab8 100644 --- a/backend/tests/test_availability.py +++ b/backend/tests/test_availability.py @@ -524,3 +524,17 @@ class TestCopyAvailability: assert response.status_code == 400 assert "30" in response.json()["detail"] + @pytest.mark.asyncio + async def test_copy_validates_source_date(self, client_factory, admin_user): + """Cannot copy from a past source date.""" + async with client_factory.create(cookies=admin_user["cookies"]) as client: + response = await client.post( + "/api/admin/availability/copy", + json={ + "source_date": str(date.today() - timedelta(days=1)), # Yesterday + "target_dates": [str(in_days(1))], + }, + ) + + assert response.status_code == 400 + assert "past" in response.json()["detail"].lower()