benya/Messenger
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

test(privacy): verify contacts-only avatar and presence visibility
Some checks are pending
CI / test (push) Has started running
Details

Browse Source
This commit is contained in:
Alex
2026-03-08 20:01:36 +03:00
parent f369083b6a
commit 9bc695ca58
2 changed files with 56 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/core-checklist-status.md
View File

@@ -37,7 +37,7 @@ Legend:
28. Notifications - `PARTIAL` (browser notifications + mute/settings; no mobile push infra)
29. Archive - `DONE`
30. Blacklist - `DONE`
31. Privacy - `PARTIAL` (avatar/last-seen/group-invites + PM policy `everyone|contacts|nobody`; integration tests cover search + private chat counterpart visibility, remaining UX/matrix hardening)
31. Privacy - `PARTIAL` (avatar/last-seen/group-invites + PM policy `everyone|contacts|nobody`; integration tests cover search + private chat counterpart visibility for `nobody/contacts`, remaining UX/matrix hardening)
32. Security - `PARTIAL` (sessions + revoke + 2FA base + access-session visibility; revoke-all now force-disconnects active realtime sessions; 2FA setup now blocked after enable to prevent secret re-issuance; one-time recovery codes added; UX polish ongoing)
33. Realtime Events - `DONE` (connect/disconnect/send/receive/typing/read/delivered/online/offline + chat/message updates + chat_deleted)
34. Sync - `PARTIAL` (cross-device via backend state + realtime; reconciliation improved for loaded chats/messages, chat-info panel hot-refreshes on `chat_updated`, delete/leave updates realtime subscriptions, full-chat delete emits `chat_deleted`)

55
tests/test_chat_message_flow.py
View File

@@ -312,3 +312,58 @@ async def test_private_chat_hides_counterpart_presence_and_avatar_by_privacy(cli
assert row["counterpart_avatar_url"] is None
assert row["counterpart_is_online"] is None
assert row["counterpart_last_seen_at"] is None
async def test_private_chat_contacts_privacy_reveals_avatar_and_presence_for_allowed_viewer(client, db_session):
owner = await _create_verified_user(client, db_session, "privacy_contacts_owner@example.com", "privacy_contacts_owner", "strongpass123")
viewer = await _create_verified_user(client, db_session, "privacy_contacts_viewer@example.com", "privacy_contacts_viewer", "strongpass123")
me_owner = await client.get("/api/v1/auth/me", headers={"Authorization": f"Bearer {owner['access_token']}"})
me_viewer = await client.get("/api/v1/auth/me", headers={"Authorization": f"Bearer {viewer['access_token']}"})
owner_id = me_owner.json()["id"]
viewer_id = me_viewer.json()["id"]
set_privacy = await client.put(
"/api/v1/users/profile",
headers={"Authorization": f"Bearer {owner['access_token']}"},
json={
"avatar_url": "https://cdn.example.com/privacy-contacts-owner.png",
"privacy_avatar": "contacts",
"privacy_last_seen": "contacts",
},
)
assert set_privacy.status_code == 200
create_chat = await client.post(
"/api/v1/chats",
headers={"Authorization": f"Bearer {viewer['access_token']}"},
json={"type": ChatType.PRIVATE.value, "title": None, "member_ids": [owner_id]},
)
assert create_chat.status_code == 200
chat_id = create_chat.json()["id"]
viewer_chats_before = await client.get(
"/api/v1/chats",
headers={"Authorization": f"Bearer {viewer['access_token']}"},
)
assert viewer_chats_before.status_code == 200
row_before = next((chat for chat in viewer_chats_before.json() if chat["id"] == chat_id), None)
assert row_before is not None
assert row_before["counterpart_avatar_url"] is None
assert row_before["counterpart_is_online"] is None
add_contact = await client.post(
f"/api/v1/users/{viewer_id}/contacts",
headers={"Authorization": f"Bearer {owner['access_token']}"},
)
assert add_contact.status_code == 204
viewer_chats_after = await client.get(
"/api/v1/chats",
headers={"Authorization": f"Bearer {viewer['access_token']}"},
)
assert viewer_chats_after.status_code == 200
row_after = next((chat for chat in viewer_chats_after.json() if chat["id"] == chat_id), None)
assert row_after is not None
assert row_after["counterpart_avatar_url"] == "https://cdn.example.com/privacy-contacts-owner.png"
assert row_after["counterpart_is_online"] is not None