Tests restructuring

2025-09-19 21:23:57 +02:00
parent d0924f90c4
commit 366093bbc6
70 changed files with 212 additions and 1957 deletions
--- a/tests/integration/security/test_authorization.py
+++ b/tests/integration/security/test_authorization.py
@@ -0,0 +1,46 @@
+# tests/integration/security/test_authorization.py
+import pytest
+
+
+@pytest.mark.integration
+@pytest.mark.security
+@pytest.mark.auth
+class TestAuthorization:
+    def test_admin_endpoint_requires_admin_role(self, client, auth_headers):
+        """Test that admin endpoints require admin role"""
+        response = client.get("/api/v1/admin/users", headers=auth_headers)
+        assert response.status_code == 403
+        # Regular user should be denied access
+
+    def test_admin_endpoints_with_admin_access(self, client, admin_headers):
+        """Test that admin users can access admin endpoints"""
+        admin_endpoints = [
+            "/api/v1/admin/users",
+            "/api/v1/admin/shops",
+            "/api/v1/admin/marketplace-import-jobs",
+        ]
+
+        for endpoint in admin_endpoints:
+            response = client.get(endpoint, headers=admin_headers)
+            assert response.status_code == 200  # Admin should have access
+
+    def test_regular_endpoints_with_user_access(self, client, auth_headers):
+        """Test that regular users can access non-admin endpoints"""
+        user_endpoints = [
+            "/api/v1/product",
+            "/api/v1/stats",
+            "/api/v1/stock",
+        ]
+
+        for endpoint in user_endpoints:
+            response = client.get(endpoint, headers=auth_headers)
+            assert response.status_code == 200  # Regular user should have access
+
+    def test_shop_owner_access_control(self, client, auth_headers, test_shop, other_user):
+        """Test that users can only access their own shops"""
+        # Test accessing own shop (should work)
+        response = client.get(f"/api/v1/shop/{test_shop.shop_code}", headers=auth_headers)
+        # Response depends on your implementation - could be 200 or 404 if shop doesn't belong to user
+        
+        # The exact assertion depends on your shop access control implementation
+        assert response.status_code in [200, 403, 404]