sboulahtit/orion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fadc9036a2e4edea4b8412092283815efcd2b707
orion/tests/integration/security/test_authorization.py
Samir Boulahtit 9920430b9e fix: correct tojson|safe usage in templates and update validator 
- Remove |safe from |tojson in HTML attributes (x-data) - quotes must
  become " for browsers to parse correctly
- Update LANG-002 and LANG-003 architecture rules to document correct
  |tojson usage patterns:
  - HTML attributes: |tojson (no |safe)
  - Script blocks: |tojson|safe
- Fix validator to warn when |tojson|safe is used in x-data (breaks
  HTML attribute parsing)
- Improve code quality across services, APIs, and tests

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-13 22:59:51 +01:00

51 lines
1.9 KiB
Python
Raw Blame History

# tests/integration/security/test_authorization.py
"""
Authorization tests for the API.
Tests role-based access control:
- Admin endpoints require admin role
- Vendor endpoints require vendor context (vendor_id in token)
"""
import pytest
@pytest.mark.integration
@pytest.mark.security
@pytest.mark.auth
class TestAuthorization:
def test_admin_endpoint_requires_admin_role(self, client, auth_headers):
"""Test that admin endpoints require admin role"""
response = client.get("/api/v1/admin/users", headers=auth_headers)
# Regular user should be denied access (401 not admin or 403 forbidden)
assert response.status_code in [401, 403]
def test_admin_endpoints_with_admin_access(self, client, admin_headers):
"""Test that admin users can access admin endpoints"""
admin_endpoints = [
"/api/v1/admin/users",
"/api/v1/admin/vendors",
"/api/v1/admin/marketplace-import-jobs",
]
for endpoint in admin_endpoints:
response = client.get(endpoint, headers=admin_headers)
assert response.status_code == 200, (
f"Admin should have access to {endpoint}"
)
def test_vendor_endpoint_requires_vendor_context(self, client, admin_headers):
"""Test that vendor endpoints require vendor context in token"""
# Admin token doesn't have vendor_id claim
response = client.get("/api/v1/vendor/products", headers=admin_headers)
# Should fail - admin token lacks vendor_id claim
assert response.status_code in [401, 403]
def test_vendor_owner_access_control(self, client, admin_headers, test_vendor):
"""Test admin can access vendor by vendor code"""
response = client.get(
f"/api/v1/admin/vendors/{test_vendor.vendor_code}", headers=admin_headers
)
# Admin should be able to view vendor
assert response.status_code == 200
Reference in New Issue View Git Blame Copy Permalink