test(invites): cover join-by-token and invite-link permissions

2026-03-08 20:19:16 +03:00
parent 90c2bdcd96
commit 58e85d0a64
2 changed files with 58 additions and 1 deletions
--- a/tests/test_chat_message_flow.py
+++ b/tests/test_chat_message_flow.py
@@ -454,6 +454,63 @@ async def test_group_owner_cannot_demote_self_from_owner_role(client, db_session
    assert owner_try_self_demote.status_code == 422


+async def test_group_invite_link_allows_join_by_token(client, db_session):
+    owner = await _create_verified_user(client, db_session, "invite_owner@example.com", "invite_owner", "strongpass123")
+    joiner = await _create_verified_user(client, db_session, "invite_joiner@example.com", "invite_joiner", "strongpass123")
+
+    create_group = await client.post(
+        "/api/v1/chats",
+        headers={"Authorization": f"Bearer {owner['access_token']}"},
+        json={"type": ChatType.GROUP.value, "title": "Invite group", "member_ids": []},
+    )
+    assert create_group.status_code == 200
+    chat_id = create_group.json()["id"]
+
+    invite_link = await client.post(
+        f"/api/v1/chats/{chat_id}/invite-link",
+        headers={"Authorization": f"Bearer {owner['access_token']}"},
+    )
+    assert invite_link.status_code == 200
+    token = invite_link.json()["token"]
+
+    join_response = await client.post(
+        "/api/v1/chats/join-by-invite",
+        headers={"Authorization": f"Bearer {joiner['access_token']}"},
+        json={"token": token},
+    )
+    assert join_response.status_code == 200
+    assert join_response.json()["id"] == chat_id
+
+    joiner_chats = await client.get(
+        "/api/v1/chats",
+        headers={"Authorization": f"Bearer {joiner['access_token']}"},
+    )
+    assert joiner_chats.status_code == 200
+    assert any(chat["id"] == chat_id for chat in joiner_chats.json())
+
+
+async def test_group_member_cannot_create_invite_link(client, db_session):
+    owner = await _create_verified_user(client, db_session, "invite_owner2@example.com", "invite_owner2", "strongpass123")
+    member = await _create_verified_user(client, db_session, "invite_member2@example.com", "invite_member2", "strongpass123")
+
+    me_member = await client.get("/api/v1/auth/me", headers={"Authorization": f"Bearer {member['access_token']}"})
+    member_id = me_member.json()["id"]
+
+    create_group = await client.post(
+        "/api/v1/chats",
+        headers={"Authorization": f"Bearer {owner['access_token']}"},
+        json={"type": ChatType.GROUP.value, "title": "Invite rights", "member_ids": [member_id]},
+    )
+    assert create_group.status_code == 200
+    chat_id = create_group.json()["id"]
+
+    member_invite_link = await client.post(
+        f"/api/v1/chats/{chat_id}/invite-link",
+        headers={"Authorization": f"Bearer {member['access_token']}"},
+    )
+    assert member_invite_link.status_code == 403
+
+
 async def test_group_invite_privacy_contacts_only(client, db_session):
    inviter = await _create_verified_user(client, db_session, "invite_u1@example.com", "invite_u1", "strongpass123")
    target = await _create_verified_user(client, db_session, "invite_u2@example.com", "invite_u2", "strongpass123")