tests(privacy): cover group-invite and avatar visibility policies

2026-03-08 19:05:43 +03:00
parent 1c9855b34c
commit af1ce20640
2 changed files with 62 additions and 1 deletions
--- a/tests/test_chat_message_flow.py
+++ b/tests/test_chat_message_flow.py
@@ -124,3 +124,64 @@ async def test_group_ban_blocks_rejoin(client, db_session):
        headers={"Authorization": f"Bearer {member['access_token']}"},
    )
    assert rejoin_response.status_code == 403
+
+
+async def test_group_invite_privacy_contacts_only(client, db_session):
+    inviter = await _create_verified_user(client, db_session, "invite_u1@example.com", "invite_u1", "strongpass123")
+    target = await _create_verified_user(client, db_session, "invite_u2@example.com", "invite_u2", "strongpass123")
+
+    me_inviter = await client.get("/api/v1/auth/me", headers={"Authorization": f"Bearer {inviter['access_token']}"})
+    me_target = await client.get("/api/v1/auth/me", headers={"Authorization": f"Bearer {target['access_token']}"})
+    inviter_id = me_inviter.json()["id"]
+    target_id = me_target.json()["id"]
+
+    set_contacts_only = await client.put(
+        "/api/v1/users/profile",
+        headers={"Authorization": f"Bearer {target['access_token']}"},
+        json={"privacy_group_invites": "contacts"},
+    )
+    assert set_contacts_only.status_code == 200
+
+    create_group_blocked = await client.post(
+        "/api/v1/chats",
+        headers={"Authorization": f"Bearer {inviter['access_token']}"},
+        json={"type": ChatType.GROUP.value, "title": "Blocked group", "member_ids": [target_id]},
+    )
+    assert create_group_blocked.status_code == 403
+
+    add_contact = await client.post(
+        f"/api/v1/users/{inviter_id}/contacts",
+        headers={"Authorization": f"Bearer {target['access_token']}"},
+    )
+    assert add_contact.status_code == 204
+
+    create_group_allowed = await client.post(
+        "/api/v1/chats",
+        headers={"Authorization": f"Bearer {inviter['access_token']}"},
+        json={"type": ChatType.GROUP.value, "title": "Allowed group", "member_ids": [target_id]},
+    )
+    assert create_group_allowed.status_code == 200
+
+
+async def test_avatar_privacy_hidden_from_other_users_search(client, db_session):
+    owner = await _create_verified_user(client, db_session, "avatar_owner@example.com", "avatar_owner", "strongpass123")
+    viewer = await _create_verified_user(client, db_session, "avatar_viewer@example.com", "avatar_viewer", "strongpass123")
+
+    set_avatar_and_privacy = await client.put(
+        "/api/v1/users/profile",
+        headers={"Authorization": f"Bearer {owner['access_token']}"},
+        json={"avatar_url": "https://cdn.example.com/avatar-owner.png", "privacy_avatar": "nobody"},
+    )
+    assert set_avatar_and_privacy.status_code == 200
+    assert set_avatar_and_privacy.json()["avatar_url"] == "https://cdn.example.com/avatar-owner.png"
+
+    search_response = await client.get(
+        "/api/v1/users/search",
+        params={"query": "avatar_owner", "limit": 20},
+        headers={"Authorization": f"Bearer {viewer['access_token']}"},
+    )
+    assert search_response.status_code == 200
+    rows = search_response.json()
+    owner_row = next((item for item in rows if item["username"] == "avatar_owner"), None)
+    assert owner_row is not None
+    assert owner_row["avatar_url"] is None