51 lines
2.0 KiB
Python
51 lines
2.0 KiB
Python
# tests/integration/security/test_authorization.py
|
|
import pytest
|
|
|
|
|
|
@pytest.mark.integration
|
|
@pytest.mark.security
|
|
@pytest.mark.auth
|
|
class TestAuthorization:
|
|
def test_admin_endpoint_requires_admin_role(self, client, auth_headers):
|
|
"""Test that admin endpoints require admin role"""
|
|
response = client.get("/api/v1/admin/users", headers=auth_headers)
|
|
assert response.status_code == 403
|
|
# Regular user should be denied access
|
|
|
|
def test_admin_endpoints_with_admin_access(self, client, admin_headers):
|
|
"""Test that admin users can access admin endpoints"""
|
|
admin_endpoints = [
|
|
"/api/v1/admin/users",
|
|
"/api/v1/admin/vendors",
|
|
"/api/v1/admin/marketplace-import-jobs",
|
|
]
|
|
|
|
for endpoint in admin_endpoints:
|
|
response = client.get(endpoint, headers=admin_headers)
|
|
assert response.status_code == 200 # Admin should have access
|
|
|
|
def test_regular_endpoints_with_user_access(self, client, auth_headers):
|
|
"""Test that regular users can access non-admin endpoints"""
|
|
user_endpoints = [
|
|
"/api/v1/marketplace/product",
|
|
"/api/v1/stats",
|
|
"/api/v1/stock",
|
|
]
|
|
|
|
for endpoint in user_endpoints:
|
|
response = client.get(endpoint, headers=auth_headers)
|
|
assert response.status_code == 200 # Regular user should have access
|
|
|
|
def test_vendor_owner_access_control(
|
|
self, client, auth_headers, test_vendor, other_user
|
|
):
|
|
"""Test that users can only access their own vendors"""
|
|
# Test accessing own vendor (should work)
|
|
response = client.get(
|
|
f"/api/v1/vendor /{test_vendor.vendor_code}", headers=auth_headers
|
|
)
|
|
# Response depends on your implementation - could be 200 or 404 if vendor doesn't belong to user
|
|
|
|
# The exact assertion depends on your vendor access control implementation
|
|
assert response.status_code in [200, 403, 404]
|