Cradicle Explorer
ai-audio-deployment_restai
/ tests / test_restricted_teams.py
test_restricted_teams.py
 1  """Tests that restricted users cannot modify team resources."""
 2  import random
 3  import pytest
 4  from fastapi.testclient import TestClient
 5  
 6  from restai.config import RESTAI_DEFAULT_PASSWORD
 7  from restai.main import app
 8  
 9  suffix = str(random.randint(0, 1000000))
10  team_name = f"rt_team_{suffix}"
11  restricted_user = f"rt_restricted_{suffix}"
12  team_id = None
13  
14  
15  @pytest.fixture(scope="module")
16  def client():
17      with TestClient(app) as c:
18          yield c
19  
20  
21  def test_setup(client):
22      """Create team and restricted user who is a team admin."""
23      global team_id
24      auth = ("admin", RESTAI_DEFAULT_PASSWORD)
25  
26      resp = client.post("/teams", json={"name": team_name}, auth=auth)
27      assert resp.status_code in (200, 201)
28      team_id = resp.json()["id"]
29  
30      client.post("/users", json={"username": restricted_user, "password": "pass123", "admin": False, "private": False, "is_restricted": True}, auth=auth)
31      client.post(f"/teams/{team_id}/users/{restricted_user}", auth=auth)
32      client.post(f"/teams/{team_id}/admins/{restricted_user}", auth=auth)
33  
34  
35  def test_restricted_cannot_create_team(client):
36      """Restricted user cannot create a team (also not admin, so 403)."""
37      resp = client.post("/teams", json={"name": f"rt_new_{suffix}"}, auth=(restricted_user, "pass123"))
38      assert resp.status_code in (403, 404)
39  
40  
41  def test_restricted_cannot_update_team(client):
42      """Restricted team admin cannot update team."""
43      resp = client.patch(f"/teams/{team_id}", json={"name": f"rt_renamed_{suffix}"}, auth=(restricted_user, "pass123"))
44      assert resp.status_code == 403
45  
46  
47  def test_restricted_cannot_add_user_to_team(client):
48      """Restricted team admin cannot add users."""
49      resp = client.post(f"/teams/{team_id}/users/admin", auth=(restricted_user, "pass123"))
50      assert resp.status_code == 403
51  
52  
53  def test_restricted_cannot_remove_user_from_team(client):
54      """Restricted team admin cannot remove users."""
55      resp = client.delete(f"/teams/{team_id}/users/admin", auth=(restricted_user, "pass123"))
56      assert resp.status_code == 403
57  
58  
59  def test_restricted_cannot_send_team_invitation(client):
60      """Restricted team admin cannot send team invitations."""
61      resp = client.post(f"/teams/{team_id}/invitations", json={"username": "admin"}, auth=(restricted_user, "pass123"))
62      assert resp.status_code == 403
63  
64  
65  def test_cleanup(client):
66      auth = ("admin", RESTAI_DEFAULT_PASSWORD)
67      client.delete(f"/teams/{team_id}", auth=auth)
68      client.delete(f"/users/{restricted_user}", auth=auth)