test(roles): enforce owner-only member role management
Some checks are pending
CI / test (push) Has started running
Some checks are pending
CI / test (push) Has started running
This commit is contained in:
@@ -31,7 +31,7 @@ Legend:
|
|||||||
22. Text Formatting - `PARTIAL` (bold/italic/underline/spoiler/mono/links + strikethrough + quote/code block; toolbar still evolving)
|
22. Text Formatting - `PARTIAL` (bold/italic/underline/spoiler/mono/links + strikethrough + quote/code block; toolbar still evolving)
|
||||||
23. Groups - `PARTIAL` (create/add/remove/invite link; advanced moderation partial)
|
23. Groups - `PARTIAL` (create/add/remove/invite link; advanced moderation partial)
|
||||||
24. Roles - `DONE` (owner/admin/member)
|
24. Roles - `DONE` (owner/admin/member)
|
||||||
25. Admin Rights - `PARTIAL` (delete/pin/edit info + explicit ban API for groups/channels; integration tests cover channel member read-only, channel admin full-delete, channel message delete-for-all permissions, and group profile edit permissions; remaining UX moderation tools limited)
|
25. Admin Rights - `PARTIAL` (delete/pin/edit info + explicit ban API for groups/channels; integration tests cover channel member read-only, channel admin full-delete, channel message delete-for-all permissions, group profile edit permissions, and owner-only role management rules; remaining UX moderation tools limited)
|
||||||
26. Channels - `PARTIAL` (create/post/edit/delete/subscribe/unsubscribe; UX edge-cases still polishing)
|
26. Channels - `PARTIAL` (create/post/edit/delete/subscribe/unsubscribe; UX edge-cases still polishing)
|
||||||
27. Channel Types - `DONE` (public/private)
|
27. Channel Types - `DONE` (public/private)
|
||||||
28. Notifications - `PARTIAL` (browser notifications + mute/settings; no mobile push infra)
|
28. Notifications - `PARTIAL` (browser notifications + mute/settings; no mobile push infra)
|
||||||
|
|||||||
@@ -396,6 +396,64 @@ async def test_group_admin_can_edit_chat_profile(client, db_session):
|
|||||||
assert body["description"] == "Updated by admin"
|
assert body["description"] == "Updated by admin"
|
||||||
|
|
||||||
|
|
||||||
|
async def test_group_admin_cannot_change_member_roles(client, db_session):
|
||||||
|
owner = await _create_verified_user(client, db_session, "roles_owner@example.com", "roles_owner", "strongpass123")
|
||||||
|
admin_user = await _create_verified_user(client, db_session, "roles_admin@example.com", "roles_admin", "strongpass123")
|
||||||
|
member_user = await _create_verified_user(client, db_session, "roles_member@example.com", "roles_member", "strongpass123")
|
||||||
|
|
||||||
|
me_admin = await client.get("/api/v1/auth/me", headers={"Authorization": f"Bearer {admin_user['access_token']}"})
|
||||||
|
me_member = await client.get("/api/v1/auth/me", headers={"Authorization": f"Bearer {member_user['access_token']}"})
|
||||||
|
admin_id = me_admin.json()["id"]
|
||||||
|
member_id = me_member.json()["id"]
|
||||||
|
|
||||||
|
create_group = await client.post(
|
||||||
|
"/api/v1/chats",
|
||||||
|
headers={"Authorization": f"Bearer {owner['access_token']}"},
|
||||||
|
json={"type": ChatType.GROUP.value, "title": "Role restrictions", "member_ids": [admin_id, member_id]},
|
||||||
|
)
|
||||||
|
assert create_group.status_code == 200
|
||||||
|
chat_id = create_group.json()["id"]
|
||||||
|
|
||||||
|
promote_admin = await client.patch(
|
||||||
|
f"/api/v1/chats/{chat_id}/members/{admin_id}/role",
|
||||||
|
headers={"Authorization": f"Bearer {owner['access_token']}"},
|
||||||
|
json={"role": "admin"},
|
||||||
|
)
|
||||||
|
assert promote_admin.status_code == 200
|
||||||
|
|
||||||
|
admin_try_promote_member = await client.patch(
|
||||||
|
f"/api/v1/chats/{chat_id}/members/{member_id}/role",
|
||||||
|
headers={"Authorization": f"Bearer {admin_user['access_token']}"},
|
||||||
|
json={"role": "admin"},
|
||||||
|
)
|
||||||
|
assert admin_try_promote_member.status_code == 403
|
||||||
|
|
||||||
|
|
||||||
|
async def test_group_owner_cannot_demote_self_from_owner_role(client, db_session):
|
||||||
|
owner = await _create_verified_user(client, db_session, "roles_self_owner@example.com", "roles_self_owner", "strongpass123")
|
||||||
|
member = await _create_verified_user(client, db_session, "roles_self_member@example.com", "roles_self_member", "strongpass123")
|
||||||
|
|
||||||
|
me_member = await client.get("/api/v1/auth/me", headers={"Authorization": f"Bearer {member['access_token']}"})
|
||||||
|
member_id = me_member.json()["id"]
|
||||||
|
|
||||||
|
create_group = await client.post(
|
||||||
|
"/api/v1/chats",
|
||||||
|
headers={"Authorization": f"Bearer {owner['access_token']}"},
|
||||||
|
json={"type": ChatType.GROUP.value, "title": "Owner self demote", "member_ids": [member_id]},
|
||||||
|
)
|
||||||
|
assert create_group.status_code == 200
|
||||||
|
chat_id = create_group.json()["id"]
|
||||||
|
|
||||||
|
me_owner = await client.get("/api/v1/auth/me", headers={"Authorization": f"Bearer {owner['access_token']}"})
|
||||||
|
owner_id = me_owner.json()["id"]
|
||||||
|
owner_try_self_demote = await client.patch(
|
||||||
|
f"/api/v1/chats/{chat_id}/members/{owner_id}/role",
|
||||||
|
headers={"Authorization": f"Bearer {owner['access_token']}"},
|
||||||
|
json={"role": "admin"},
|
||||||
|
)
|
||||||
|
assert owner_try_self_demote.status_code == 422
|
||||||
|
|
||||||
|
|
||||||
async def test_group_invite_privacy_contacts_only(client, db_session):
|
async def test_group_invite_privacy_contacts_only(client, db_session):
|
||||||
inviter = await _create_verified_user(client, db_session, "invite_u1@example.com", "invite_u1", "strongpass123")
|
inviter = await _create_verified_user(client, db_session, "invite_u1@example.com", "invite_u1", "strongpass123")
|
||||||
target = await _create_verified_user(client, db_session, "invite_u2@example.com", "invite_u2", "strongpass123")
|
target = await _create_verified_user(client, db_session, "invite_u2@example.com", "invite_u2", "strongpass123")
|
||||||
|
|||||||
Reference in New Issue
Block a user