feat(moderation): add chat bans list endpoint with admin access checks

2026-03-08 21:21:43 +03:00
parent 5909503012
commit 90320ffd5d
7 changed files with 114 additions and 1 deletions
--- a/tests/test_chat_message_flow.py
+++ b/tests/test_chat_message_flow.py
@@ -492,6 +492,55 @@ async def test_group_ban_blocks_rejoin(client, db_session):
    assert rejoin_response.status_code == 403


+async def test_group_ban_list_visible_to_admin_and_hidden_from_member(client, db_session):
+    owner = await _create_verified_user(client, db_session, "ban_list_owner@example.com", "ban_list_owner", "strongpass123")
+    admin = await _create_verified_user(client, db_session, "ban_list_admin@example.com", "ban_list_admin", "strongpass123")
+    member = await _create_verified_user(client, db_session, "ban_list_member@example.com", "ban_list_member", "strongpass123")
+    target = await _create_verified_user(client, db_session, "ban_list_target@example.com", "ban_list_target", "strongpass123")
+
+    me_admin = await client.get("/api/v1/auth/me", headers={"Authorization": f"Bearer {admin['access_token']}"})
+    me_member = await client.get("/api/v1/auth/me", headers={"Authorization": f"Bearer {member['access_token']}"})
+    me_target = await client.get("/api/v1/auth/me", headers={"Authorization": f"Bearer {target['access_token']}"})
+    admin_id = me_admin.json()["id"]
+    member_id = me_member.json()["id"]
+    target_id = me_target.json()["id"]
+
+    create_group = await client.post(
+        "/api/v1/chats",
+        headers={"Authorization": f"Bearer {owner['access_token']}"},
+        json={"type": ChatType.GROUP.value, "title": "Ban list group", "member_ids": [admin_id, member_id, target_id]},
+    )
+    assert create_group.status_code == 200
+    chat_id = create_group.json()["id"]
+
+    promote_admin = await client.patch(
+        f"/api/v1/chats/{chat_id}/members/{admin_id}/role",
+        headers={"Authorization": f"Bearer {owner['access_token']}"},
+        json={"role": "admin"},
+    )
+    assert promote_admin.status_code == 200
+
+    ban_target = await client.post(
+        f"/api/v1/chats/{chat_id}/bans/{target_id}",
+        headers={"Authorization": f"Bearer {admin['access_token']}"},
+    )
+    assert ban_target.status_code == 204
+
+    list_by_admin = await client.get(
+        f"/api/v1/chats/{chat_id}/bans",
+        headers={"Authorization": f"Bearer {admin['access_token']}"},
+    )
+    assert list_by_admin.status_code == 200
+    bans = list_by_admin.json()
+    assert any(item["user_id"] == target_id and item["banned_by_user_id"] == admin_id for item in bans)
+
+    list_by_member = await client.get(
+        f"/api/v1/chats/{chat_id}/bans",
+        headers={"Authorization": f"Bearer {member['access_token']}"},
+    )
+    assert list_by_member.status_code == 403
+
+
 async def test_channel_member_delete_chat_behaves_as_leave(client, db_session):
    owner = await _create_verified_user(client, db_session, "channel_owner@example.com", "channel_owner", "strongpass123")
    member = await _create_verified_user(client, db_session, "channel_member@example.com", "channel_member", "strongpass123")