test(moderation): enforce group profile edit permissions by role

2026-03-08 20:04:55 +03:00
parent 57b687a036
commit 1a3a54cfb9
2 changed files with 57 additions and 1 deletions
--- a/tests/test_chat_message_flow.py
+++ b/tests/test_chat_message_flow.py
@@ -251,6 +251,62 @@ async def test_channel_admin_can_delete_channel_for_all(client, db_session):
    assert all(chat["id"] != chat_id for chat in owner_chats.json())


+async def test_group_member_cannot_edit_chat_profile(client, db_session):
+    owner = await _create_verified_user(client, db_session, "group_profile_owner@example.com", "group_profile_owner", "strongpass123")
+    member = await _create_verified_user(client, db_session, "group_profile_member@example.com", "group_profile_member", "strongpass123")
+
+    me_member = await client.get("/api/v1/auth/me", headers={"Authorization": f"Bearer {member['access_token']}"})
+    member_id = me_member.json()["id"]
+
+    create_group = await client.post(
+        "/api/v1/chats",
+        headers={"Authorization": f"Bearer {owner['access_token']}"},
+        json={"type": ChatType.GROUP.value, "title": "Editable group", "member_ids": [member_id]},
+    )
+    assert create_group.status_code == 200
+    chat_id = create_group.json()["id"]
+
+    member_edit = await client.patch(
+        f"/api/v1/chats/{chat_id}/profile",
+        headers={"Authorization": f"Bearer {member['access_token']}"},
+        json={"title": "Member changed title"},
+    )
+    assert member_edit.status_code == 403
+
+
+async def test_group_admin_can_edit_chat_profile(client, db_session):
+    owner = await _create_verified_user(client, db_session, "group_profile_owner2@example.com", "group_profile_owner2", "strongpass123")
+    admin_user = await _create_verified_user(client, db_session, "group_profile_admin2@example.com", "group_profile_admin2", "strongpass123")
+
+    me_admin = await client.get("/api/v1/auth/me", headers={"Authorization": f"Bearer {admin_user['access_token']}"})
+    admin_id = me_admin.json()["id"]
+
+    create_group = await client.post(
+        "/api/v1/chats",
+        headers={"Authorization": f"Bearer {owner['access_token']}"},
+        json={"type": ChatType.GROUP.value, "title": "Admin editable group", "member_ids": [admin_id]},
+    )
+    assert create_group.status_code == 200
+    chat_id = create_group.json()["id"]
+
+    promote_admin = await client.patch(
+        f"/api/v1/chats/{chat_id}/members/{admin_id}/role",
+        headers={"Authorization": f"Bearer {owner['access_token']}"},
+        json={"role": "admin"},
+    )
+    assert promote_admin.status_code == 200
+
+    admin_edit = await client.patch(
+        f"/api/v1/chats/{chat_id}/profile",
+        headers={"Authorization": f"Bearer {admin_user['access_token']}"},
+        json={"title": "Admin changed title", "description": "Updated by admin"},
+    )
+    assert admin_edit.status_code == 200
+    body = admin_edit.json()
+    assert body["title"] == "Admin changed title"
+    assert body["description"] == "Updated by admin"
+
+
 async def test_group_invite_privacy_contacts_only(client, db_session):
    inviter = await _create_verified_user(client, db_session, "invite_u1@example.com", "invite_u1", "strongpass123")
    target = await _create_verified_user(client, db_session, "invite_u2@example.com", "invite_u2", "strongpass123")