# tests/integration/security/test_authorization.py
import pytest


@pytest.mark.integration
@pytest.mark.security
@pytest.mark.auth
class TestAuthorization:
    def test_admin_endpoint_requires_admin_role(self, client, auth_headers):
        """Test that admin endpoints require admin role"""
        response = client.get("/api/v1/admin/users", headers=auth_headers)
        assert response.status_code == 403
        # Regular user should be denied access

    def test_admin_endpoints_with_admin_access(self, client, admin_headers):
        """Test that admin users can access admin endpoints"""
        admin_endpoints = [
            "/api/v1/admin/users",
            "/api/v1/admin/shops",
            "/api/v1/admin/marketplace-import-jobs",
        ]

        for endpoint in admin_endpoints:
            response = client.get(endpoint, headers=admin_headers)
            assert response.status_code == 200  # Admin should have access

    def test_regular_endpoints_with_user_access(self, client, auth_headers):
        """Test that regular users can access non-admin endpoints"""
        user_endpoints = [
            "/api/v1/product",
            "/api/v1/stats",
            "/api/v1/stock",
        ]

        for endpoint in user_endpoints:
            response = client.get(endpoint, headers=auth_headers)
            assert response.status_code == 200  # Regular user should have access

    def test_shop_owner_access_control(
        self, client, auth_headers, test_shop, other_user
    ):
        """Test that users can only access their own shops"""
        # Test accessing own shop (should work)
        response = client.get(
            f"/api/v1/shop/{test_shop.shop_code}", headers=auth_headers
        )
        # Response depends on your implementation - could be 200 or 404 if shop doesn't belong to user

        # The exact assertion depends on your shop access control implementation
        assert response.status_code in [200, 403, 404]