mirror of https://github.com/Nezreka/SoulSync.git
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
46 lines
1.4 KiB
46 lines
1.4 KiB
"""#845 follow-up: the mutating verification-review endpoints (delete removes a
|
|
file from disk; approve flips verification state) must be admin-only, matching the
|
|
Phase 3 destructive-endpoint gating. The read/playback ones stay open."""
|
|
|
|
from __future__ import annotations
|
|
|
|
import os
|
|
import tempfile
|
|
|
|
import pytest
|
|
|
|
_TMP = tempfile.mkdtemp(prefix='soulsync-testdb-vgate-')
|
|
os.environ['DATABASE_PATH'] = os.path.join(_TMP, 'v.db')
|
|
os.environ['SOULSYNC_TEST_DB_READY'] = '1'
|
|
|
|
web_server = pytest.importorskip('web_server')
|
|
|
|
|
|
@pytest.fixture
|
|
def client():
|
|
return web_server.app.test_client()
|
|
|
|
|
|
def _as_nonadmin(client):
|
|
pid = web_server.get_database().create_profile(name=f'u_{os.urandom(4).hex()}')
|
|
with client.session_transaction() as s:
|
|
s['profile_id'] = pid
|
|
return pid
|
|
|
|
|
|
def test_delete_is_admin_only(client):
|
|
_as_nonadmin(client)
|
|
assert client.post('/api/verification/1/delete').status_code == 403
|
|
|
|
|
|
def test_approve_is_admin_only(client):
|
|
_as_nonadmin(client)
|
|
assert client.post('/api/verification/1/approve').status_code == 403
|
|
|
|
|
|
def test_admin_not_blocked(client):
|
|
# default session resolves to admin (profile 1) — must pass the gate (a
|
|
# missing history id yields 404, NOT 403).
|
|
assert client.post('/api/verification/999999/delete').status_code != 403
|
|
assert client.post('/api/verification/999999/approve').status_code != 403
|