diff --git a/docs/core-checklist-status.md b/docs/core-checklist-status.md index bbd378d..fc53516 100644 --- a/docs/core-checklist-status.md +++ b/docs/core-checklist-status.md @@ -31,7 +31,7 @@ Legend: 22. Text Formatting - `PARTIAL` (bold/italic/underline/spoiler/mono/links + strikethrough + quote/code block; toolbar still evolving) 23. Groups - `PARTIAL` (create/add/remove/invite link; advanced moderation partial) 24. Roles - `DONE` (owner/admin/member) -25. Admin Rights - `PARTIAL` (delete/pin/edit info + explicit ban API for groups/channels; integration tests cover channel member read-only, channel admin full-delete, and group profile edit permissions; remaining UX moderation tools limited) +25. Admin Rights - `PARTIAL` (delete/pin/edit info + explicit ban API for groups/channels; integration tests cover channel member read-only, channel admin full-delete, channel message delete-for-all permissions, and group profile edit permissions; remaining UX moderation tools limited) 26. Channels - `PARTIAL` (create/post/edit/delete/subscribe/unsubscribe; UX edge-cases still polishing) 27. Channel Types - `DONE` (public/private) 28. Notifications - `PARTIAL` (browser notifications + mute/settings; no mobile push infra) diff --git a/tests/test_chat_message_flow.py b/tests/test_chat_message_flow.py index 19f88aa..0ad1d15 100644 --- a/tests/test_chat_message_flow.py +++ b/tests/test_chat_message_flow.py @@ -288,6 +288,58 @@ async def test_channel_admin_can_delete_channel_for_all(client, db_session): assert all(chat["id"] != chat_id for chat in owner_chats.json()) +async def test_channel_message_delete_for_all_permissions(client, db_session): + owner = await _create_verified_user(client, db_session, "channel_msg_owner@example.com", "channel_msg_owner", "strongpass123") + member = await _create_verified_user(client, db_session, "channel_msg_member@example.com", "channel_msg_member", "strongpass123") + + me_member = await client.get("/api/v1/auth/me", headers={"Authorization": f"Bearer {member['access_token']}"}) + member_id = me_member.json()["id"] + + create_channel = await client.post( + "/api/v1/chats", + headers={"Authorization": f"Bearer {owner['access_token']}"}, + json={"type": ChatType.CHANNEL.value, "title": "Channel message permissions", "member_ids": [member_id]}, + ) + assert create_channel.status_code == 200 + chat_id = create_channel.json()["id"] + + owner_message = await client.post( + "/api/v1/messages", + headers={"Authorization": f"Bearer {owner['access_token']}"}, + json={"chat_id": chat_id, "type": "text", "text": "to be deleted"}, + ) + assert owner_message.status_code == 201 + message_id = owner_message.json()["id"] + + member_delete_for_all = await client.delete( + f"/api/v1/messages/{message_id}", + params={"for_all": True}, + headers={"Authorization": f"Bearer {member['access_token']}"}, + ) + assert member_delete_for_all.status_code == 403 + + promote_admin = await client.patch( + f"/api/v1/chats/{chat_id}/members/{member_id}/role", + headers={"Authorization": f"Bearer {owner['access_token']}"}, + json={"role": "admin"}, + ) + assert promote_admin.status_code == 200 + + admin_delete_for_all = await client.delete( + f"/api/v1/messages/{message_id}", + params={"for_all": True}, + headers={"Authorization": f"Bearer {member['access_token']}"}, + ) + assert admin_delete_for_all.status_code == 204 + + owner_messages = await client.get( + f"/api/v1/messages/{chat_id}", + headers={"Authorization": f"Bearer {owner['access_token']}"}, + ) + assert owner_messages.status_code == 200 + assert all(item["id"] != message_id for item in owner_messages.json()) + + async def test_group_member_cannot_edit_chat_profile(client, db_session): owner = await _create_verified_user(client, db_session, "group_profile_owner@example.com", "group_profile_owner", "strongpass123") member = await _create_verified_user(client, db_session, "group_profile_member@example.com", "group_profile_member", "strongpass123")