test(rbac): scope tradein expired-role tests to praktika (user2 restored)
All checks were successful
CI / changes (pull_request) Successful in 13s
CI Trade-In / changes (pull_request) Successful in 13s
CI / frontend-tests (pull_request) Has been skipped
CI Trade-In / frontend-checks (pull_request) Has been skipped
CI Trade-In / backend-tests (pull_request) Successful in 1m27s
CI / openapi-codegen-check (pull_request) Successful in 3m13s
CI / backend-tests (pull_request) Successful in 16m14s
All checks were successful
CI / changes (pull_request) Successful in 13s
CI Trade-In / changes (pull_request) Successful in 13s
CI / frontend-tests (pull_request) Has been skipped
CI Trade-In / frontend-checks (pull_request) Has been skipped
CI Trade-In / backend-tests (pull_request) Successful in 1m27s
CI / openapi-codegen-check (pull_request) Successful in 3m13s
CI / backend-tests (pull_request) Successful in 16m14s
test_rbac_expired_denied_on_non_admin_api и test_rbac_expired_allowed_on_bootstrap хардкодили user2 как expired-субъект (только в tradein-зеркале — в main backend этих тестов нет, потому упал лишь CI Trade-In). user2 восстановлен в pilot → переводим оба на praktika (остаётся expired). Покрытие поведения expired-роли сохранено.
This commit is contained in:
parent
60be78f97c
commit
409c53b41b
1 changed files with 3 additions and 3 deletions
|
|
@ -320,7 +320,7 @@ def test_rbac_expired_denied_on_non_admin_api(client: TestClient) -> None:
|
||||||
"""#R2-H3: revoked (role=expired, paths:[] deny:/**) НЕ достаёт non-admin API.
|
"""#R2-H3: revoked (role=expired, paths:[] deny:/**) НЕ достаёт non-admin API.
|
||||||
Раньше rbac_guard гейтил только /admin/* → expired имел полный non-admin доступ
|
Раньше rbac_guard гейтил только /admin/* → expired имел полный non-admin доступ
|
||||||
(POST /search экспорт листингов и т.д.). Теперь scope-blocked → 403."""
|
(POST /search экспорт листингов и т.д.). Теперь scope-blocked → 403."""
|
||||||
for user in ("user2", "praktika"): # оба role=expired (trial отозван)
|
for user in ("praktika",): # role=expired (trial отозван; user2 восстановлен 2026-07-13)
|
||||||
for path in ("/api/v1/search", "/api/v1/trade-in/dummy"):
|
for path in ("/api/v1/search", "/api/v1/trade-in/dummy"):
|
||||||
resp = client.get(path, headers={"X-Authenticated-User": user})
|
resp = client.get(path, headers={"X-Authenticated-User": user})
|
||||||
assert resp.status_code == 403, f"{user} {path}: {resp.status_code}"
|
assert resp.status_code == 403, f"{user} {path}: {resp.status_code}"
|
||||||
|
|
@ -330,10 +330,10 @@ def test_rbac_expired_denied_on_non_admin_api(client: TestClient) -> None:
|
||||||
def test_rbac_expired_allowed_on_bootstrap(client: TestClient) -> None:
|
def test_rbac_expired_allowed_on_bootstrap(client: TestClient) -> None:
|
||||||
"""expired ДОЛЖЕН достучаться до /me (получить role=expired → trial-экран) и
|
"""expired ДОЛЖЕН достучаться до /me (получить role=expired → trial-экран) и
|
||||||
/brand/* (брендинг trial-экрана) — иначе UX сломан. Bootstrap-исключение."""
|
/brand/* (брендинг trial-экрана) — иначе UX сломан. Bootstrap-исключение."""
|
||||||
resp_me = client.get("/api/v1/me", headers={"X-Authenticated-User": "user2"})
|
resp_me = client.get("/api/v1/me", headers={"X-Authenticated-User": "praktika"})
|
||||||
assert resp_me.status_code == 200, resp_me.text
|
assert resp_me.status_code == 200, resp_me.text
|
||||||
assert resp_me.json()["role"] == "expired"
|
assert resp_me.json()["role"] == "expired"
|
||||||
resp_brand = client.get("/api/v1/brand/dummy", headers={"X-Authenticated-User": "user2"})
|
resp_brand = client.get("/api/v1/brand/dummy", headers={"X-Authenticated-User": "praktika"})
|
||||||
assert resp_brand.status_code == 200, resp_brand.text
|
assert resp_brand.status_code == 200, resp_brand.text
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue