From d6378ab346d3ebac481577d374df3bf3c2401fac Mon Sep 17 00:00:00 2001
From: benya <benya@daemonlord.ru>
Date: Sun, 8 Mar 2026 21:04:27 +0300
Subject: [PATCH] test(privacy): extend avatar and presence matrix coverage

---
 docs/core-checklist-status.md   |  2 +-
 tests/test_chat_message_flow.py | 80 +++++++++++++++++++++++++++++++++
 2 files changed, 81 insertions(+), 1 deletion(-)

diff --git a/docs/core-checklist-status.md b/docs/core-checklist-status.md
index 9f5241e..e573d68 100644
--- a/docs/core-checklist-status.md
+++ b/docs/core-checklist-status.md
@@ -37,7 +37,7 @@ Legend:
 28. Notifications - `PARTIAL` (browser notifications + mute/settings; chat mute is propagated in chat list payload, honored by web realtime notifications with mention override, and mute toggle now syncs instantly in chat store; no mobile push infra)
 29. Archive - `DONE`
 30. Blacklist - `DONE`
-31. Privacy - `PARTIAL` (avatar/last-seen/group-invites + PM policy `everyone|contacts|nobody`; group-invite `nobody` is available in API and web settings; integration tests cover PM policy matrix (`everyone/contacts/nobody`), group-invite policy matrix (`everyone/contacts/nobody`), and private chat counterpart visibility for `nobody/contacts`, remaining UX/matrix hardening)
+31. Privacy - `PARTIAL` (avatar/last-seen/group-invites + PM policy `everyone|contacts|nobody`; group-invite `nobody` is available in API and web settings; integration tests cover PM policy matrix (`everyone/contacts/nobody`), group-invite policy matrix (`everyone/contacts/nobody`), private chat counterpart visibility for `nobody/contacts/everyone`, and avatar visibility matrix in search for `nobody/contacts` (with contact allowance), remaining UX/matrix hardening)
 32. Security - `PARTIAL` (sessions + revoke + 2FA base + access-session visibility; integration tests cover single-session revoke and revoke-all invalidation/force-disconnect; 2FA setup now blocked after enable to prevent secret re-issuance; one-time recovery codes added and covered for normalization/lifecycle (`remaining_codes` decrement + one-time usage); web auth panel supports recovery-code login; settings now warns when recovery codes are empty and provides copy/download actions for freshly generated codes)
 33. Realtime Events - `DONE` (connect/disconnect/send/receive/typing/read/delivered/online/offline + chat/message updates + chat_deleted)
 34. Sync - `PARTIAL` (cross-device via backend state + realtime; reconciliation improved for loaded chats/messages, chat-info panel hot-refreshes on `chat_updated`, delete/leave updates realtime subscriptions, full-chat delete emits `chat_deleted`)
diff --git a/tests/test_chat_message_flow.py b/tests/test_chat_message_flow.py
index 866e7a7..3cc2415 100644
--- a/tests/test_chat_message_flow.py
+++ b/tests/test_chat_message_flow.py
@@ -927,3 +927,83 @@ async def test_private_chat_contacts_privacy_reveals_avatar_and_presence_for_all
     assert row_after is not None
     assert row_after["counterpart_avatar_url"] == "https://cdn.example.com/privacy-contacts-owner.png"
     assert row_after["counterpart_is_online"] is not None
+
+
+async def test_avatar_privacy_contacts_in_search_visible_only_for_contacts(client, db_session):
+    owner = await _create_verified_user(client, db_session, "avatar_contacts_owner@example.com", "avatar_contacts_owner", "strongpass123")
+    viewer = await _create_verified_user(client, db_session, "avatar_contacts_viewer@example.com", "avatar_contacts_viewer", "strongpass123")
+
+    me_viewer = await client.get("/api/v1/auth/me", headers={"Authorization": f"Bearer {viewer['access_token']}"})
+    viewer_id = me_viewer.json()["id"]
+
+    set_avatar_and_privacy = await client.put(
+        "/api/v1/users/profile",
+        headers={"Authorization": f"Bearer {owner['access_token']}"},
+        json={"avatar_url": "https://cdn.example.com/avatar-contacts-owner.png", "privacy_avatar": "contacts"},
+    )
+    assert set_avatar_and_privacy.status_code == 200
+
+    search_before_contact = await client.get(
+        "/api/v1/users/search",
+        params={"query": "avatar_contacts_owner", "limit": 20},
+        headers={"Authorization": f"Bearer {viewer['access_token']}"},
+    )
+    assert search_before_contact.status_code == 200
+    rows_before = search_before_contact.json()
+    owner_before = next((item for item in rows_before if item["username"] == "avatar_contacts_owner"), None)
+    assert owner_before is not None
+    assert owner_before["avatar_url"] is None
+
+    add_contact = await client.post(
+        f"/api/v1/users/{viewer_id}/contacts",
+        headers={"Authorization": f"Bearer {owner['access_token']}"},
+    )
+    assert add_contact.status_code == 204
+
+    search_after_contact = await client.get(
+        "/api/v1/users/search",
+        params={"query": "avatar_contacts_owner", "limit": 20},
+        headers={"Authorization": f"Bearer {viewer['access_token']}"},
+    )
+    assert search_after_contact.status_code == 200
+    rows_after = search_after_contact.json()
+    owner_after = next((item for item in rows_after if item["username"] == "avatar_contacts_owner"), None)
+    assert owner_after is not None
+    assert owner_after["avatar_url"] == "https://cdn.example.com/avatar-contacts-owner.png"
+
+
+async def test_private_chat_everyone_privacy_reveals_avatar_and_presence_without_contacts(client, db_session):
+    owner = await _create_verified_user(client, db_session, "privacy_everyone_owner@example.com", "privacy_everyone_owner", "strongpass123")
+    viewer = await _create_verified_user(client, db_session, "privacy_everyone_viewer@example.com", "privacy_everyone_viewer", "strongpass123")
+
+    me_owner = await client.get("/api/v1/auth/me", headers={"Authorization": f"Bearer {owner['access_token']}"})
+    owner_id = me_owner.json()["id"]
+
+    set_privacy = await client.put(
+        "/api/v1/users/profile",
+        headers={"Authorization": f"Bearer {owner['access_token']}"},
+        json={
+            "avatar_url": "https://cdn.example.com/privacy-everyone-owner.png",
+            "privacy_avatar": "everyone",
+            "privacy_last_seen": "everyone",
+        },
+    )
+    assert set_privacy.status_code == 200
+
+    create_chat = await client.post(
+        "/api/v1/chats",
+        headers={"Authorization": f"Bearer {viewer['access_token']}"},
+        json={"type": ChatType.PRIVATE.value, "title": None, "member_ids": [owner_id]},
+    )
+    assert create_chat.status_code == 200
+    chat_id = create_chat.json()["id"]
+
+    viewer_chats = await client.get(
+        "/api/v1/chats",
+        headers={"Authorization": f"Bearer {viewer['access_token']}"},
+    )
+    assert viewer_chats.status_code == 200
+    row = next((chat for chat in viewer_chats.json() if chat["id"] == chat_id), None)
+    assert row is not None
+    assert row["counterpart_avatar_url"] == "https://cdn.example.com/privacy-everyone-owner.png"
+    assert row["counterpart_is_online"] is not None