test(channels): enforce delete-for-all permissions on messages

2026-03-08 20:15:25 +03:00
parent 60e5225c80
commit 80bda6e537
2 changed files with 53 additions and 1 deletions
--- a/tests/test_chat_message_flow.py
+++ b/tests/test_chat_message_flow.py
@@ -288,6 +288,58 @@ async def test_channel_admin_can_delete_channel_for_all(client, db_session):
    assert all(chat["id"] != chat_id for chat in owner_chats.json())


+async def test_channel_message_delete_for_all_permissions(client, db_session):
+    owner = await _create_verified_user(client, db_session, "channel_msg_owner@example.com", "channel_msg_owner", "strongpass123")
+    member = await _create_verified_user(client, db_session, "channel_msg_member@example.com", "channel_msg_member", "strongpass123")
+
+    me_member = await client.get("/api/v1/auth/me", headers={"Authorization": f"Bearer {member['access_token']}"})
+    member_id = me_member.json()["id"]
+
+    create_channel = await client.post(
+        "/api/v1/chats",
+        headers={"Authorization": f"Bearer {owner['access_token']}"},
+        json={"type": ChatType.CHANNEL.value, "title": "Channel message permissions", "member_ids": [member_id]},
+    )
+    assert create_channel.status_code == 200
+    chat_id = create_channel.json()["id"]
+
+    owner_message = await client.post(
+        "/api/v1/messages",
+        headers={"Authorization": f"Bearer {owner['access_token']}"},
+        json={"chat_id": chat_id, "type": "text", "text": "to be deleted"},
+    )
+    assert owner_message.status_code == 201
+    message_id = owner_message.json()["id"]
+
+    member_delete_for_all = await client.delete(
+        f"/api/v1/messages/{message_id}",
+        params={"for_all": True},
+        headers={"Authorization": f"Bearer {member['access_token']}"},
+    )
+    assert member_delete_for_all.status_code == 403
+
+    promote_admin = await client.patch(
+        f"/api/v1/chats/{chat_id}/members/{member_id}/role",
+        headers={"Authorization": f"Bearer {owner['access_token']}"},
+        json={"role": "admin"},
+    )
+    assert promote_admin.status_code == 200
+
+    admin_delete_for_all = await client.delete(
+        f"/api/v1/messages/{message_id}",
+        params={"for_all": True},
+        headers={"Authorization": f"Bearer {member['access_token']}"},
+    )
+    assert admin_delete_for_all.status_code == 204
+
+    owner_messages = await client.get(
+        f"/api/v1/messages/{chat_id}",
+        headers={"Authorization": f"Bearer {owner['access_token']}"},
+    )
+    assert owner_messages.status_code == 200
+    assert all(item["id"] != message_id for item in owner_messages.json())
+
+
 async def test_group_member_cannot_edit_chat_profile(client, db_session):
    owner = await _create_verified_user(client, db_session, "group_profile_owner@example.com", "group_profile_owner", "strongpass123")
    member = await _create_verified_user(client, db_session, "group_profile_member@example.com", "group_profile_member", "strongpass123")