fix(tradein/auth): restore brusnika (user2) pilot access (#2512)
All checks were successful
Deploy Trade-In / deploy (push) Successful in 1m7s
Deploy / changes (push) Successful in 15s
Deploy / build-frontend (push) Has been skipped
Deploy Trade-In / changes (push) Successful in 22s
Deploy Trade-In / build-frontend (push) Has been skipped
Deploy Trade-In / build-browser (push) Has been skipped
Deploy / build-worker (push) Successful in 53s
Deploy / build-backend (push) Successful in 54s
Deploy Trade-In / test (push) Successful in 1m20s
Deploy Trade-In / build-backend (push) Successful in 43s
Deploy / deploy (push) Successful in 1m56s

This commit is contained in:
lekss361 2026-07-13 15:33:36 +00:00
parent 60c21ae2a5
commit b5477362f0
3 changed files with 6 additions and 10 deletions

View file

@ -70,7 +70,7 @@ users:
admin: admin admin: admin
kopylov: pilot kopylov: pilot
user1: pilot user1: pilot
user2: expired # «Брусника» — пробный доступ закрыт 2026-07-09 (аналогично praktika) — NoAccessScreen variant="trial" user2: pilot # «Брусника» — доступ восстановлен 2026-07-13 (снят trial-expire от 2026-07-09)
user3: pilot user3: pilot
user4: pilot user4: pilot
user5: pilot user5: pilot

View file

@ -114,9 +114,7 @@ def test_get_role_known_users() -> None:
assert auth_mod.get_role("admin") == "admin" assert auth_mod.get_role("admin") == "admin"
assert auth_mod.get_role("kopylov") == "pilot" assert auth_mod.get_role("kopylov") == "pilot"
for n in range(1, 11): for n in range(1, 11):
# user2 = «Брусника»: пробный доступ закрыт 2026-07-09 (roles.yaml) assert auth_mod.get_role(f"user{n}") == "pilot"
expected = "expired" if n == 2 else "pilot"
assert auth_mod.get_role(f"user{n}") == expected
def test_get_role_unknown_user_raises() -> None: def test_get_role_unknown_user_raises() -> None:

View file

@ -132,9 +132,7 @@ def test_get_role_known_users() -> None:
assert auth_mod.get_role("admin") == "admin" assert auth_mod.get_role("admin") == "admin"
assert auth_mod.get_role("kopylov") == "pilot" assert auth_mod.get_role("kopylov") == "pilot"
for n in range(1, 11): for n in range(1, 11):
# user2 = «Брусника»: пробный доступ закрыт 2026-07-09 (roles.yaml) assert auth_mod.get_role(f"user{n}") == "pilot"
expected = "expired" if n == 2 else "pilot"
assert auth_mod.get_role(f"user{n}") == expected
def test_get_role_unknown_user_raises() -> None: def test_get_role_unknown_user_raises() -> None:
@ -322,7 +320,7 @@ def test_rbac_expired_denied_on_non_admin_api(client: TestClient) -> None:
"""#R2-H3: revoked (role=expired, paths:[] deny:/**) НЕ достаёт non-admin API. """#R2-H3: revoked (role=expired, paths:[] deny:/**) НЕ достаёт non-admin API.
Раньше rbac_guard гейтил только /admin/* expired имел полный non-admin доступ Раньше rbac_guard гейтил только /admin/* expired имел полный non-admin доступ
(POST /search экспорт листингов и т.д.). Теперь scope-blocked 403.""" (POST /search экспорт листингов и т.д.). Теперь scope-blocked 403."""
for user in ("user2", "praktika"): # оба role=expired (trial отозван) for user in ("praktika",): # role=expired (trial отозван; user2 восстановлен 2026-07-13)
for path in ("/api/v1/search", "/api/v1/trade-in/dummy"): for path in ("/api/v1/search", "/api/v1/trade-in/dummy"):
resp = client.get(path, headers={"X-Authenticated-User": user}) resp = client.get(path, headers={"X-Authenticated-User": user})
assert resp.status_code == 403, f"{user} {path}: {resp.status_code}" assert resp.status_code == 403, f"{user} {path}: {resp.status_code}"
@ -332,10 +330,10 @@ def test_rbac_expired_denied_on_non_admin_api(client: TestClient) -> None:
def test_rbac_expired_allowed_on_bootstrap(client: TestClient) -> None: def test_rbac_expired_allowed_on_bootstrap(client: TestClient) -> None:
"""expired ДОЛЖЕН достучаться до /me (получить role=expired → trial-экран) и """expired ДОЛЖЕН достучаться до /me (получить role=expired → trial-экран) и
/brand/* (брендинг trial-экрана) иначе UX сломан. Bootstrap-исключение.""" /brand/* (брендинг trial-экрана) иначе UX сломан. Bootstrap-исключение."""
resp_me = client.get("/api/v1/me", headers={"X-Authenticated-User": "user2"}) resp_me = client.get("/api/v1/me", headers={"X-Authenticated-User": "praktika"})
assert resp_me.status_code == 200, resp_me.text assert resp_me.status_code == 200, resp_me.text
assert resp_me.json()["role"] == "expired" assert resp_me.json()["role"] == "expired"
resp_brand = client.get("/api/v1/brand/dummy", headers={"X-Authenticated-User": "user2"}) resp_brand = client.get("/api/v1/brand/dummy", headers={"X-Authenticated-User": "praktika"})
assert resp_brand.status_code == 200, resp_brand.text assert resp_brand.status_code == 200, resp_brand.text