sboulahtit/orion
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
fb8cb145065e771de36b68fba0a31494d8fd81f0
orion/tests/integration/api/v1/modules/test_module_access.py
Samir Boulahtit d7a0ff8818 refactor: complete module-driven architecture migration 
This commit completes the migration to a fully module-driven architecture:

## Models Migration
- Moved all domain models from models/database/ to their respective modules:
  - tenancy: User, Admin, Vendor, Company, Platform, VendorDomain, etc.
  - cms: MediaFile, VendorTheme
  - messaging: Email, VendorEmailSettings, VendorEmailTemplate
  - core: AdminMenuConfig
- models/database/ now only contains Base and TimestampMixin (infrastructure)

## Schemas Migration
- Moved all domain schemas from models/schema/ to their respective modules:
  - tenancy: company, vendor, admin, team, vendor_domain
  - cms: media, image, vendor_theme
  - messaging: email
- models/schema/ now only contains base.py and auth.py (infrastructure)

## Routes Migration
- Moved admin routes from app/api/v1/admin/ to modules:
  - menu_config.py -> core module
  - modules.py -> tenancy module
  - module_config.py -> tenancy module
- app/api/v1/admin/ now only aggregates auto-discovered module routes

## Menu System
- Implemented module-driven menu system with MenuDiscoveryService
- Extended FrontendType enum: PLATFORM, ADMIN, VENDOR, STOREFRONT
- Added MenuItemDefinition and MenuSectionDefinition dataclasses
- Each module now defines its own menu items in definition.py
- MenuService integrates with MenuDiscoveryService for template rendering

## Documentation
- Updated docs/architecture/models-structure.md
- Updated docs/architecture/menu-management.md
- Updated architecture validation rules for new exceptions

## Architecture Validation
- Updated MOD-019 rule to allow base.py in models/schema/
- Created core module exceptions.py and schemas/ directory
- All validation errors resolved (only warnings remain)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-01 21:02:56 +01:00

254 lines
8.8 KiB
Python
Raw Blame History

# tests/integration/api/v1/modules/test_module_access.py
"""
Integration tests for module-based access control.
Tests verify that:
- Disabled modules return 403 Forbidden
- Enabled modules allow access
- Core modules are always accessible
- Module dependencies are enforced
"""
import pytest
from app.modules.tenancy.models import Platform
@pytest.mark.integration
@pytest.mark.api
@pytest.mark.modules
class TestModuleAccessControl:
"""Tests for module-based access control on API endpoints."""
# ========================================================================
# Billing Module Access Tests
# ========================================================================
def test_billing_accessible_when_enabled(
self, client, auth_headers, test_vendor, db
):
"""Test billing endpoints accessible when module enabled."""
# Ensure billing module is enabled (default - no config means all enabled)
response = client.get(
"/api/v1/vendor/billing/subscription",
headers=auth_headers,
)
# Should succeed (200) or have other error, but NOT 403 for module
assert response.status_code != 403 or "module" not in response.json().get("message", "").lower()
def test_billing_forbidden_when_disabled(
self, client, auth_headers, test_vendor, db, test_platform
):
"""Test billing endpoints return 403 when module disabled."""
# Disable billing module
test_platform.settings = {"enabled_modules": ["core", "platform-admin", "inventory"]}
db.commit()
response = client.get(
"/api/v1/vendor/billing/subscription",
headers=auth_headers,
)
# Should return 403 with module disabled message
assert response.status_code == 403
data = response.json()
assert "module" in data.get("message", "").lower() or data.get("error_code") == "MODULE_DISABLED"
# ========================================================================
# Inventory Module Access Tests
# ========================================================================
def test_inventory_accessible_when_enabled(
self, client, auth_headers, test_inventory
):
"""Test inventory endpoints accessible when module enabled."""
response = client.get(
"/api/v1/vendor/inventory",
headers=auth_headers,
)
# Should succeed
assert response.status_code == 200
def test_inventory_forbidden_when_disabled(
self, client, auth_headers, db, test_platform
):
"""Test inventory endpoints return 403 when module disabled."""
# Disable inventory module
test_platform.settings = {"enabled_modules": ["core", "platform-admin", "billing"]}
db.commit()
response = client.get(
"/api/v1/vendor/inventory",
headers=auth_headers,
)
# Should return 403
assert response.status_code == 403
data = response.json()
assert "module" in data.get("message", "").lower() or data.get("error_code") == "MODULE_DISABLED"
# ========================================================================
# Orders Module Access Tests
# ========================================================================
def test_orders_accessible_when_enabled(
self, client, auth_headers, test_order
):
"""Test orders endpoints accessible when module enabled."""
response = client.get(
"/api/v1/vendor/orders",
headers=auth_headers,
)
# Should succeed
assert response.status_code == 200
def test_orders_forbidden_when_disabled(
self, client, auth_headers, db, test_platform
):
"""Test orders endpoints return 403 when module disabled."""
# Disable orders module
test_platform.settings = {"enabled_modules": ["core", "platform-admin"]}
db.commit()
response = client.get(
"/api/v1/vendor/orders",
headers=auth_headers,
)
# Should return 403
assert response.status_code == 403
# ========================================================================
# Marketplace Module Access Tests
# ========================================================================
def test_marketplace_accessible_when_enabled(
self, client, auth_headers
):
"""Test marketplace endpoints accessible when module enabled."""
response = client.get(
"/api/v1/vendor/marketplace/settings",
headers=auth_headers,
)
# Should not return 403 for module disabled
# (might be 404 if no settings exist, or 200)
assert response.status_code != 403 or "module" not in response.json().get("message", "").lower()
def test_marketplace_forbidden_when_disabled(
self, client, auth_headers, db, test_platform
):
"""Test marketplace endpoints return 403 when module disabled."""
# Disable marketplace module but keep inventory (its dependency)
test_platform.settings = {"enabled_modules": ["core", "platform-admin", "inventory"]}
db.commit()
response = client.get(
"/api/v1/vendor/marketplace/settings",
headers=auth_headers,
)
# Should return 403
assert response.status_code == 403
# ========================================================================
# Core Module Tests
# ========================================================================
def test_core_always_accessible(
self, client, auth_headers, db, test_platform
):
"""Test core endpoints always accessible even with empty modules."""
# Set empty module list (but core is always added)
test_platform.settings = {"enabled_modules": []}
db.commit()
# Dashboard is a core endpoint
response = client.get(
"/api/v1/vendor/dashboard",
headers=auth_headers,
)
# Should NOT return 403 for module disabled
assert response.status_code != 403 or "module" not in response.json().get("message", "").lower()
# ========================================================================
# Admin Module Access Tests
# ========================================================================
def test_admin_inventory_accessible_when_enabled(
self, client, admin_headers, test_inventory
):
"""Test admin inventory endpoints accessible when module enabled."""
response = client.get(
"/api/v1/admin/inventory",
headers=admin_headers,
)
# Should succeed
assert response.status_code == 200
def test_admin_inventory_forbidden_when_disabled(
self, client, admin_headers, db, test_platform
):
"""Test admin inventory endpoints return 403 when module disabled."""
# Disable inventory module
test_platform.settings = {"enabled_modules": ["core", "platform-admin"]}
db.commit()
response = client.get(
"/api/v1/admin/inventory",
headers=admin_headers,
)
# Should return 403
assert response.status_code == 403
@pytest.mark.integration
@pytest.mark.api
@pytest.mark.modules
class TestModuleDependencyAccess:
"""Tests for module dependency enforcement in access control."""
def test_marketplace_requires_inventory(
self, client, auth_headers, db, test_platform
):
"""Test marketplace requires inventory to be enabled."""
# Enable marketplace but disable inventory
test_platform.settings = {"enabled_modules": ["marketplace"]}
db.commit()
# Due to dependency resolution, inventory should be auto-enabled
response = client.get(
"/api/v1/vendor/inventory",
headers=auth_headers,
)
# Should be accessible because marketplace depends on inventory
# The module service should auto-enable inventory
assert response.status_code != 403 or "module" not in response.json().get("message", "").lower()
def test_disabling_dependency_disables_dependent(
self, client, auth_headers, db, test_platform
):
"""Test that disabling a dependency also affects dependent modules."""
# First enable both
test_platform.settings = {"enabled_modules": ["inventory", "marketplace"]}
db.commit()
# Now disable inventory - marketplace should also be affected
test_platform.settings = {"enabled_modules": []} # Only core remains
db.commit()
# Marketplace should be disabled
response = client.get(
"/api/v1/vendor/marketplace/settings",
headers=auth_headers,
)
assert response.status_code == 403
Reference in New Issue View Git Blame Copy Permalink