test(channel): forbid member delete with for_all

tests/test_chat_message_flow.py

@@ -162,6 +162,29 @@ async def test_channel_member_delete_chat_behaves_as_leave(client, db_session):
     assert any(chat["id"] == chat_id for chat in owner_chats.json())
 
 
+async def test_channel_member_cannot_delete_for_all(client, db_session):
+    owner = await _create_verified_user(client, db_session, "channel_owner2@example.com", "channel_owner2", "strongpass123")
+    member = await _create_verified_user(client, db_session, "channel_member2@example.com", "channel_member2", "strongpass123")
+
+    me_member = await client.get("/api/v1/auth/me", headers={"Authorization": f"Bearer {member['access_token']}"})
+    member_id = me_member.json()["id"]
+
+    create_channel = await client.post(
+        "/api/v1/chats",
+        headers={"Authorization": f"Bearer {owner['access_token']}"},
+        json={"type": ChatType.CHANNEL.value, "title": "Test channel 2", "member_ids": [member_id]},
+    )
+    assert create_channel.status_code == 200
+    chat_id = create_channel.json()["id"]
+
+    delete_for_all_by_member = await client.delete(
+        f"/api/v1/chats/{chat_id}",
+        params={"for_all": True},
+        headers={"Authorization": f"Bearer {member['access_token']}"},
+    )
+    assert delete_for_all_by_member.status_code == 403
+
+
 async def test_group_invite_privacy_contacts_only(client, db_session):
     inviter = await _create_verified_user(client, db_session, "invite_u1@example.com", "invite_u1", "strongpass123")
     target = await _create_verified_user(client, db_session, "invite_u2@example.com", "invite_u2", "strongpass123")