# tests/integration/security/test_authorization.py """ Authorization tests for the API. Tests role-based access control: - Admin endpoints require admin role - Vendor endpoints require vendor context (vendor_id in token) """ import pytest @pytest.mark.integration @pytest.mark.security @pytest.mark.auth class TestAuthorization: def test_admin_endpoint_requires_admin_role(self, client, auth_headers): """Test that admin endpoints require admin role""" response = client.get("/api/v1/admin/users", headers=auth_headers) # Regular user should be denied access (401 not admin or 403 forbidden) assert response.status_code in [401, 403] def test_admin_endpoints_with_admin_access(self, client, admin_headers): """Test that admin users can access admin endpoints""" admin_endpoints = [ "/api/v1/admin/users", "/api/v1/admin/vendors", "/api/v1/admin/marketplace-import-jobs", ] for endpoint in admin_endpoints: response = client.get(endpoint, headers=admin_headers) assert response.status_code == 200, ( f"Admin should have access to {endpoint}" ) def test_vendor_endpoint_requires_vendor_context(self, client, admin_headers): """Test that vendor endpoints require vendor context in token""" # Admin token doesn't have vendor_id claim response = client.get("/api/v1/vendor/products", headers=admin_headers) # Should fail - admin token lacks vendor_id claim assert response.status_code in [401, 403] def test_vendor_owner_access_control(self, client, admin_headers, test_vendor): """Test admin can access vendor by vendor code""" response = client.get( f"/api/v1/admin/vendors/{test_vendor.vendor_code}", headers=admin_headers ) # Admin should be able to view vendor assert response.status_code == 200 @pytest.mark.integration @pytest.mark.security @pytest.mark.auth class TestHTMLPageAuthRedirect: """ Test that authorization errors on HTML pages redirect to login. For HTML page requests (Accept: text/html), both 401 and specific 403 errors should redirect to the appropriate login page instead of showing error pages. """ def test_api_request_returns_json_on_auth_error(self, client, auth_headers): """Test that API requests return JSON error, not redirect.""" # Non-admin user trying to access admin API endpoint response = client.get("/api/v1/admin/users", headers=auth_headers) assert response.status_code == 403 # Should be JSON, not redirect data = response.json() assert data["error_code"] == "ADMIN_REQUIRED" def test_html_page_redirects_on_no_token(self, client): """Test that HTML page requests without token redirect to login.""" # Request admin page without token, accepting HTML response = client.get( "/admin/dashboard", headers={"Accept": "text/html"}, follow_redirects=False, ) # Should redirect (302) to login page assert response.status_code == 302 assert "/admin/login" in response.headers.get("location", "") def test_html_page_redirects_on_invalid_token(self, client): """Test that HTML page requests with invalid token redirect to login.""" # Request admin page with invalid token cookie, accepting HTML response = client.get( "/admin/dashboard", headers={"Accept": "text/html"}, cookies={"admin_token": "invalid.token.here"}, follow_redirects=False, ) # Should redirect (302) to login page assert response.status_code == 302 assert "/admin/login" in response.headers.get("location", "") def test_html_page_redirects_on_admin_required(self, client, auth_headers): """Test that HTML page requests with wrong role redirect to login.""" # Regular user (not admin) trying to access admin HTML page # We need to set both the cookie and Accept header for HTML behavior response = client.get( "/admin/dashboard", headers={ "Accept": "text/html", "Authorization": auth_headers["Authorization"], }, follow_redirects=False, ) # Should redirect (302) to login page when user lacks admin role assert response.status_code == 302 assert "/admin/login" in response.headers.get("location", "")