MEDIUM: GET /recipes/saved/collections missing tier gate — free users can list paid feature #95

New issue

Closed

opened 2026-04-18 09:02:56 -07:00 by pyr0ball · 0 comments

pyr0ball commented 2026-04-18 09:02:56 -07:00

Owner

Copy link

Summary

The GET /api/v1/recipes/saved/collections endpoint is missing a tier check. Free-tier users can call it (they get an empty list, since they have no collections). All write operations (POST, PATCH, DELETE) are properly gated. The GET is an inconsistency.

Affected Code

app/api/endpoints/saved_recipes.py:

@router.get("/collections", response_model=list[CollectionSummary])
async def list_collections(
    session: CloudUser = Depends(get_session),
) -> list[CollectionSummary]:
    rows = await asyncio.to_thread(...)  # ← no tier check
    return [CollectionSummary(**r) for r in rows]

While this is low-risk (free users get an empty list), it violates feature-gating consistency and may confuse the frontend about whether the feature is available.

Fix

@router.get("/collections", response_model=list[CollectionSummary])
async def list_collections(
    session: CloudUser = Depends(get_session),
) -> list[CollectionSummary]:
    if not can_use("recipe_collections", session.tier):
        raise HTTPException(status_code=403, detail="Collections require Paid tier.")
    rows = await asyncio.to_thread(...)
    return [CollectionSummary(**r) for r in rows]

## Summary The `GET /api/v1/recipes/saved/collections` endpoint is missing a tier check. Free-tier users can call it (they get an empty list, since they have no collections). All write operations (POST, PATCH, DELETE) are properly gated. The GET is an inconsistency. ## Affected Code `app/api/endpoints/saved_recipes.py`: ```python @router.get("/collections", response_model=list[CollectionSummary]) async def list_collections( session: CloudUser = Depends(get_session), ) -> list[CollectionSummary]: rows = await asyncio.to_thread(...) # ← no tier check return [CollectionSummary(**r) for r in rows] ``` While this is low-risk (free users get an empty list), it violates feature-gating consistency and may confuse the frontend about whether the feature is available. ## Fix ```python @router.get("/collections", response_model=list[CollectionSummary]) async def list_collections( session: CloudUser = Depends(get_session), ) -> list[CollectionSummary]: if not can_use("recipe_collections", session.tier): raise HTTPException(status_code=403, detail="Collections require Paid tier.") rows = await asyncio.to_thread(...) return [CollectionSummary(**r) for r in rows] ```

pyr0ball closed this issue 2026-04-18 16:02:26 -07:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

fix/recipe-enrichment-and-bugfixes

fix/a11y-audit

feature/community

feature/meal-planner

feature/orch-auto-lifecycle

feature/shared-task-scheduler

v0.5.1

v0.3.0

v0.5.0

v0.2.0

Labels

Clear labels   

accessibility

  

backlog

  

beta-feedback

  

bug

Something is not working

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

feature-request

  

help wanted

Need some help

  

invalid

Something is wrong

  

needs-design

  

needs-triage

  

question

More information is needed

  

wontfix

This won't be fixed

No labels

accessibility

backlog

beta-feedback

bug

duplicate

enhancement

feature-request

help wanted

invalid

needs-design

needs-triage

question

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: Circuit-Forge/kiwi#95

No description provided.