sboulahtit/orion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4cb4fec8e2f42301e6b48cac3c53a16f84f1a301
orion/tests/integration/security/test_authorization.py
Samir Boulahtit 4cb4fec8e2 fix: update tests for current API structure and model changes 
- Fix middleware fixtures: vendor_code instead of code, add owner_user_id to company
- Fix performance tests: MarketplaceProduct uses translations for title/description
- Fix security tests: use correct API endpoints (/api/v1/admin/*, /api/v1/vendor/*)
- Fix workflow tests: use actual admin API endpoints
- Fix background task tests: remove invalid vendor_name field, add language

Note: Many middleware integration tests still fail due to dynamic routes
being caught by the /{slug} catch-all route. These tests need further
refactoring to use /api/* prefixed routes.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-13 16:01:16 +01:00

50 lines
1.9 KiB
Python
Raw Blame History

# tests/integration/security/test_authorization.py
"""
Authorization tests for the API.
Tests role-based access control:
- Admin endpoints require admin role
- Vendor endpoints require vendor context (vendor_id in token)
"""
import pytest
@pytest.mark.integration
@pytest.mark.security
@pytest.mark.auth
class TestAuthorization:
def test_admin_endpoint_requires_admin_role(self, client, auth_headers):
"""Test that admin endpoints require admin role"""
response = client.get("/api/v1/admin/users", headers=auth_headers)
# Regular user should be denied access (401 not admin or 403 forbidden)
assert response.status_code in [401, 403]
def test_admin_endpoints_with_admin_access(self, client, admin_headers):
"""Test that admin users can access admin endpoints"""
admin_endpoints = [
"/api/v1/admin/users",
"/api/v1/admin/vendors",
"/api/v1/admin/marketplace-import-jobs",
]
for endpoint in admin_endpoints:
response = client.get(endpoint, headers=admin_headers)
assert response.status_code == 200, f"Admin should have access to {endpoint}"
def test_vendor_endpoint_requires_vendor_context(self, client, admin_headers):
"""Test that vendor endpoints require vendor context in token"""
# Admin token doesn't have vendor_id claim
response = client.get("/api/v1/vendor/products", headers=admin_headers)
# Should fail - admin token lacks vendor_id claim
assert response.status_code in [401, 403]
def test_vendor_owner_access_control(
self, client, admin_headers, test_vendor
):
"""Test admin can access vendor by vendor code"""
response = client.get(
f"/api/v1/admin/vendors/{test_vendor.vendor_code}", headers=admin_headers
)
# Admin should be able to view vendor
assert response.status_code == 200
Reference in New Issue View Git Blame Copy Permalink