gendesign/backend/app/core
Light1YT 0247f13fb6
All checks were successful
Deploy / changes (push) Successful in 5s
Deploy / build-frontend (push) Has been skipped
Deploy / build-backend (push) Successful in 1m35s
Deploy / build-worker (push) Successful in 2m49s
Deploy / deploy (push) Successful in 1m13s
test(rbac): test-mode bypass so api/v1 suite can authenticate (CI-rehab 1/3)
The whole backend api/v1 test suite hits `app` via TestClient mimo Caddy, so
rbac_guard (app/main.py) 401'd every authed request (no X-Authenticated-User)
— 112 tests red, the suite effectively dead (which is how #994's district 500
shipped uncaught). Add `settings.testing` (default False — prod RBAC untouched)
+ a strictly-gated bypass at the top of rbac_guard; tests/conftest.py enables it
(env TESTING=1 + settings.testing=True before app import).

Security: bypass fires ONLY when settings.testing is True, which is set NOWHERE
in prod (default False; only tests/conftest.py flips it). RBAC's 401/403 logic
stays covered by tests/test_rbac.py (its own middleware copy, ignores the flag).

Effect: 112 → 42 failed, 1590 → 1660 passed. Remaining 42 (+5 mv_layout env
errors) are stale-mock/assertion drift + env-required tests — fixed in CI-rehab
2/3. Foundation for a real Forgejo pytest gate (3/3).

Refs #944.
2026-06-03 18:29:20 +05:00
..
__init__.py init 2026-04-25 13:45:19 +03:00
auth.py feat(rbac): role-based access control via X-Authenticated-User middleware (#585) 2026-05-26 06:18:40 +00:00
config.py test(rbac): test-mode bypass so api/v1 suite can authenticate (CI-rehab 1/3) 2026-06-03 18:29:20 +05:00
db.py deploy.yml: sync compose+Caddyfile from git, reload caddy after up 2026-04-26 13:31:26 +03:00
deps.py refactor(admin): extract _check_token into shared AdminTokenAuth dep (#133) 2026-05-14 23:45:44 +03:00