diff --git a/docs/core-checklist-status.md b/docs/core-checklist-status.md index f6b287c..31ad6cd 100644 --- a/docs/core-checklist-status.md +++ b/docs/core-checklist-status.md @@ -37,7 +37,7 @@ Legend: 28. Notifications - `PARTIAL` (browser notifications + mute/settings; no mobile push infra) 29. Archive - `DONE` 30. Blacklist - `DONE` -31. Privacy - `PARTIAL` (avatar/last-seen/group-invites + PM policy `everyone|contacts|nobody`; remaining edge UX/matrix hardening) +31. Privacy - `PARTIAL` (avatar/last-seen/group-invites + PM policy `everyone|contacts|nobody`; policy behavior covered by integration tests, remaining UX/matrix hardening) 32. Security - `PARTIAL` (sessions + revoke + 2FA base + access-session visibility; revoke-all now force-disconnects active realtime sessions; UX/TOTP recovery flow ongoing) 33. Realtime Events - `DONE` (connect/disconnect/send/receive/typing/read/delivered/online/offline + chat/message updates) 34. Sync - `PARTIAL` (cross-device via backend state + realtime; reconciliation improved for loaded chats/messages, chat-info panel now hot-refreshes on `chat_updated`) diff --git a/tests/test_chat_message_flow.py b/tests/test_chat_message_flow.py index eb9949a..f29cdeb 100644 --- a/tests/test_chat_message_flow.py +++ b/tests/test_chat_message_flow.py @@ -124,3 +124,64 @@ async def test_group_ban_blocks_rejoin(client, db_session): headers={"Authorization": f"Bearer {member['access_token']}"}, ) assert rejoin_response.status_code == 403 + + +async def test_group_invite_privacy_contacts_only(client, db_session): + inviter = await _create_verified_user(client, db_session, "invite_u1@example.com", "invite_u1", "strongpass123") + target = await _create_verified_user(client, db_session, "invite_u2@example.com", "invite_u2", "strongpass123") + + me_inviter = await client.get("/api/v1/auth/me", headers={"Authorization": f"Bearer {inviter['access_token']}"}) + me_target = await client.get("/api/v1/auth/me", headers={"Authorization": f"Bearer {target['access_token']}"}) + inviter_id = me_inviter.json()["id"] + target_id = me_target.json()["id"] + + set_contacts_only = await client.put( + "/api/v1/users/profile", + headers={"Authorization": f"Bearer {target['access_token']}"}, + json={"privacy_group_invites": "contacts"}, + ) + assert set_contacts_only.status_code == 200 + + create_group_blocked = await client.post( + "/api/v1/chats", + headers={"Authorization": f"Bearer {inviter['access_token']}"}, + json={"type": ChatType.GROUP.value, "title": "Blocked group", "member_ids": [target_id]}, + ) + assert create_group_blocked.status_code == 403 + + add_contact = await client.post( + f"/api/v1/users/{inviter_id}/contacts", + headers={"Authorization": f"Bearer {target['access_token']}"}, + ) + assert add_contact.status_code == 204 + + create_group_allowed = await client.post( + "/api/v1/chats", + headers={"Authorization": f"Bearer {inviter['access_token']}"}, + json={"type": ChatType.GROUP.value, "title": "Allowed group", "member_ids": [target_id]}, + ) + assert create_group_allowed.status_code == 200 + + +async def test_avatar_privacy_hidden_from_other_users_search(client, db_session): + owner = await _create_verified_user(client, db_session, "avatar_owner@example.com", "avatar_owner", "strongpass123") + viewer = await _create_verified_user(client, db_session, "avatar_viewer@example.com", "avatar_viewer", "strongpass123") + + set_avatar_and_privacy = await client.put( + "/api/v1/users/profile", + headers={"Authorization": f"Bearer {owner['access_token']}"}, + json={"avatar_url": "https://cdn.example.com/avatar-owner.png", "privacy_avatar": "nobody"}, + ) + assert set_avatar_and_privacy.status_code == 200 + assert set_avatar_and_privacy.json()["avatar_url"] == "https://cdn.example.com/avatar-owner.png" + + search_response = await client.get( + "/api/v1/users/search", + params={"query": "avatar_owner", "limit": 20}, + headers={"Authorization": f"Bearer {viewer['access_token']}"}, + ) + assert search_response.status_code == 200 + rows = search_response.json() + owner_row = next((item for item in rows if item["username"] == "avatar_owner"), None) + assert owner_row is not None + assert owner_row["avatar_url"] is None