From 1ef0cdf29d509871d52fc849c98fa312bf0e0525 Mon Sep 17 00:00:00 2001 From: benya Date: Sun, 8 Mar 2026 19:45:37 +0300 Subject: [PATCH] test(channel): forbid member delete with for_all --- tests/test_chat_message_flow.py | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/tests/test_chat_message_flow.py b/tests/test_chat_message_flow.py index 153ffa4..06c8a82 100644 --- a/tests/test_chat_message_flow.py +++ b/tests/test_chat_message_flow.py @@ -162,6 +162,29 @@ async def test_channel_member_delete_chat_behaves_as_leave(client, db_session): assert any(chat["id"] == chat_id for chat in owner_chats.json()) +async def test_channel_member_cannot_delete_for_all(client, db_session): + owner = await _create_verified_user(client, db_session, "channel_owner2@example.com", "channel_owner2", "strongpass123") + member = await _create_verified_user(client, db_session, "channel_member2@example.com", "channel_member2", "strongpass123") + + me_member = await client.get("/api/v1/auth/me", headers={"Authorization": f"Bearer {member['access_token']}"}) + member_id = me_member.json()["id"] + + create_channel = await client.post( + "/api/v1/chats", + headers={"Authorization": f"Bearer {owner['access_token']}"}, + json={"type": ChatType.CHANNEL.value, "title": "Test channel 2", "member_ids": [member_id]}, + ) + assert create_channel.status_code == 200 + chat_id = create_channel.json()["id"] + + delete_for_all_by_member = await client.delete( + f"/api/v1/chats/{chat_id}", + params={"for_all": True}, + headers={"Authorization": f"Bearer {member['access_token']}"}, + ) + assert delete_for_all_by_member.status_code == 403 + + async def test_group_invite_privacy_contacts_only(client, db_session): inviter = await _create_verified_user(client, db_session, "invite_u1@example.com", "invite_u1", "strongpass123") target = await _create_verified_user(client, db_session, "invite_u2@example.com", "invite_u2", "strongpass123")