fix(tradein/auth): restore brusnika (user2) pilot access #2512

Merged
lekss361 merged 2 commits from fix/unblock-user2-brusnika into main 2026-07-13 15:33:37 +00:00
Showing only changes of commit 409c53b41b - Show all commits

View file

@ -320,7 +320,7 @@ def test_rbac_expired_denied_on_non_admin_api(client: TestClient) -> None:
"""#R2-H3: revoked (role=expired, paths:[] deny:/**) НЕ достаёт non-admin API.
Раньше rbac_guard гейтил только /admin/* expired имел полный non-admin доступ
(POST /search экспорт листингов и т.д.). Теперь scope-blocked 403."""
for user in ("user2", "praktika"): # оба role=expired (trial отозван)
for user in ("praktika",): # role=expired (trial отозван; user2 восстановлен 2026-07-13)
for path in ("/api/v1/search", "/api/v1/trade-in/dummy"):
resp = client.get(path, headers={"X-Authenticated-User": user})
assert resp.status_code == 403, f"{user} {path}: {resp.status_code}"
@ -330,10 +330,10 @@ def test_rbac_expired_denied_on_non_admin_api(client: TestClient) -> None:
def test_rbac_expired_allowed_on_bootstrap(client: TestClient) -> None:
"""expired ДОЛЖЕН достучаться до /me (получить role=expired → trial-экран) и
/brand/* (брендинг trial-экрана) иначе UX сломан. Bootstrap-исключение."""
resp_me = client.get("/api/v1/me", headers={"X-Authenticated-User": "user2"})
resp_me = client.get("/api/v1/me", headers={"X-Authenticated-User": "praktika"})
assert resp_me.status_code == 200, resp_me.text
assert resp_me.json()["role"] == "expired"
resp_brand = client.get("/api/v1/brand/dummy", headers={"X-Authenticated-User": "user2"})
resp_brand = client.get("/api/v1/brand/dummy", headers={"X-Authenticated-User": "praktika"})
assert resp_brand.status_code == 200, resp_brand.text