From 6930e73b9f61e8c3d707dae9698fd8a747371ca6 Mon Sep 17 00:00:00 2001
From: benya <benya@daemonlord.ru>
Date: Sun, 8 Mar 2026 19:58:10 +0300
Subject: [PATCH] test(channels): enforce member read-only posting permissions

---
 docs/core-checklist-status.md   |  2 +-
 tests/test_chat_message_flow.py | 30 ++++++++++++++++++++++++++++++
 2 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/docs/core-checklist-status.md b/docs/core-checklist-status.md
index 52968d2..6bfb434 100644
--- a/docs/core-checklist-status.md
+++ b/docs/core-checklist-status.md
@@ -31,7 +31,7 @@ Legend:
 22. Text Formatting - `PARTIAL` (bold/italic/underline/spoiler/mono/links + strikethrough + quote/code block; toolbar still evolving)
 23. Groups - `PARTIAL` (create/add/remove/invite link; advanced moderation partial)
 24. Roles - `DONE` (owner/admin/member)
-25. Admin Rights - `PARTIAL` (delete/pin/edit info + explicit ban API for groups/channels; channel member delete now behaves as leave, remaining UX moderation tools limited)
+25. Admin Rights - `PARTIAL` (delete/pin/edit info + explicit ban API for groups/channels; channel member delete now behaves as leave; integration tests cover channel read-only posting for members, remaining UX moderation tools limited)
 26. Channels - `PARTIAL` (create/post/edit/delete/subscribe/unsubscribe; UX edge-cases still polishing)
 27. Channel Types - `DONE` (public/private)
 28. Notifications - `PARTIAL` (browser notifications + mute/settings; no mobile push infra)
diff --git a/tests/test_chat_message_flow.py b/tests/test_chat_message_flow.py
index b535e7e..c1c49dd 100644
--- a/tests/test_chat_message_flow.py
+++ b/tests/test_chat_message_flow.py
@@ -185,6 +185,36 @@ async def test_channel_member_cannot_delete_for_all(client, db_session):
     assert delete_for_all_by_member.status_code == 403
 
 
+async def test_channel_member_is_read_only_for_posting(client, db_session):
+    owner = await _create_verified_user(client, db_session, "channel_post_owner@example.com", "channel_post_owner", "strongpass123")
+    member = await _create_verified_user(client, db_session, "channel_post_member@example.com", "channel_post_member", "strongpass123")
+
+    me_member = await client.get("/api/v1/auth/me", headers={"Authorization": f"Bearer {member['access_token']}"})
+    member_id = me_member.json()["id"]
+
+    create_channel = await client.post(
+        "/api/v1/chats",
+        headers={"Authorization": f"Bearer {owner['access_token']}"},
+        json={"type": ChatType.CHANNEL.value, "title": "Read only channel", "member_ids": [member_id]},
+    )
+    assert create_channel.status_code == 200
+    chat_id = create_channel.json()["id"]
+
+    member_post = await client.post(
+        "/api/v1/messages",
+        headers={"Authorization": f"Bearer {member['access_token']}"},
+        json={"chat_id": chat_id, "type": "text", "text": "member post"},
+    )
+    assert member_post.status_code == 403
+
+    owner_post = await client.post(
+        "/api/v1/messages",
+        headers={"Authorization": f"Bearer {owner['access_token']}"},
+        json={"chat_id": chat_id, "type": "text", "text": "owner post"},
+    )
+    assert owner_post.status_code == 201
+
+
 async def test_group_invite_privacy_contacts_only(client, db_session):
     inviter = await _create_verified_user(client, db_session, "invite_u1@example.com", "invite_u1", "strongpass123")
     target = await _create_verified_user(client, db_session, "invite_u2@example.com", "invite_u2", "strongpass123")