9c2bd3ff25
Covers upload (sessions, artifacts, local-md), scripts (deploy/run/delete), settings (get/dataset), memory (CRUD, voting, admin governance), access-requests (create, approve, deny), permissions (grant/revoke/list), metadata (get/save/push), and admin configure+registry endpoints. Each file tests happy path, auth required (401), role enforcement (403), and input validation (422) independently using the seeded_app fixture.
126 lines
4.5 KiB
Python
126 lines
4.5 KiB
Python
"""Tests for user settings API endpoints."""
|
|
|
|
import pytest
|
|
|
|
|
|
def _auth(token):
|
|
return {"Authorization": f"Bearer {token}"}
|
|
|
|
|
|
class TestSettingsGet:
|
|
def test_get_settings_returns_user_id(self, seeded_app):
|
|
c = seeded_app["client"]
|
|
token = seeded_app["admin_token"]
|
|
resp = c.get("/api/settings", headers=_auth(token))
|
|
assert resp.status_code == 200
|
|
data = resp.json()
|
|
assert data["user_id"] == "admin1"
|
|
assert "sync_settings" in data
|
|
assert "permissions" in data
|
|
|
|
def test_get_settings_analyst(self, seeded_app):
|
|
c = seeded_app["client"]
|
|
token = seeded_app["analyst_token"]
|
|
resp = c.get("/api/settings", headers=_auth(token))
|
|
assert resp.status_code == 200
|
|
data = resp.json()
|
|
assert data["user_id"] == "analyst1"
|
|
|
|
def test_get_settings_requires_auth(self, seeded_app):
|
|
c = seeded_app["client"]
|
|
resp = c.get("/api/settings")
|
|
assert resp.status_code == 401
|
|
|
|
def test_get_settings_empty_permissions_for_new_user(self, seeded_app):
|
|
"""New users have no permissions by default."""
|
|
c = seeded_app["client"]
|
|
token = seeded_app["admin_token"]
|
|
resp = c.get("/api/settings", headers=_auth(token))
|
|
assert resp.status_code == 200
|
|
# Admin sees their own settings — permissions list should exist (may be empty)
|
|
assert isinstance(resp.json()["permissions"], list)
|
|
|
|
|
|
class TestSettingsDataset:
|
|
def test_update_dataset_setting_with_permission(self, seeded_app):
|
|
"""Admin granting permission first, then analyst can update the dataset setting."""
|
|
c = seeded_app["client"]
|
|
admin_token = seeded_app["admin_token"]
|
|
analyst_token = seeded_app["analyst_token"]
|
|
|
|
# Grant permission to analyst first
|
|
c.post(
|
|
"/api/admin/permissions",
|
|
json={"user_id": "analyst1", "dataset": "sales_data", "access": "read"},
|
|
headers=_auth(admin_token),
|
|
)
|
|
|
|
resp = c.put(
|
|
"/api/settings/dataset",
|
|
json={"dataset": "sales_data", "enabled": True},
|
|
headers=_auth(analyst_token),
|
|
)
|
|
assert resp.status_code == 200
|
|
data = resp.json()
|
|
assert data["dataset"] == "sales_data"
|
|
assert data["enabled"] is True
|
|
|
|
def test_update_dataset_setting_without_permission_returns_403(self, seeded_app):
|
|
c = seeded_app["client"]
|
|
token = seeded_app["analyst_token"]
|
|
resp = c.put(
|
|
"/api/settings/dataset",
|
|
json={"dataset": "secret_data", "enabled": True},
|
|
headers=_auth(token),
|
|
)
|
|
assert resp.status_code == 403
|
|
|
|
def test_update_dataset_setting_requires_auth(self, seeded_app):
|
|
c = seeded_app["client"]
|
|
resp = c.put(
|
|
"/api/settings/dataset",
|
|
json={"dataset": "sales_data", "enabled": True},
|
|
)
|
|
assert resp.status_code == 401
|
|
|
|
def test_update_dataset_missing_fields_returns_422(self, seeded_app):
|
|
c = seeded_app["client"]
|
|
token = seeded_app["admin_token"]
|
|
resp = c.put(
|
|
"/api/settings/dataset",
|
|
json={"dataset": "sales_data"}, # missing 'enabled'
|
|
headers=_auth(token),
|
|
)
|
|
assert resp.status_code == 422
|
|
|
|
def test_update_without_explicit_permission_returns_403_even_for_admin(self, seeded_app):
|
|
"""The dataset settings endpoint checks dataset_permissions table — even admin
|
|
needs explicit permission to enable/disable a specific dataset via this endpoint."""
|
|
c = seeded_app["client"]
|
|
token = seeded_app["admin_token"]
|
|
resp = c.put(
|
|
"/api/settings/dataset",
|
|
json={"dataset": "any_dataset_no_perm", "enabled": False},
|
|
headers=_auth(token),
|
|
)
|
|
# The endpoint checks perm_repo.has_access which doesn't have admin bypass
|
|
assert resp.status_code == 403
|
|
|
|
def test_disable_dataset_with_permission(self, seeded_app):
|
|
c = seeded_app["client"]
|
|
admin_token = seeded_app["admin_token"]
|
|
|
|
# Grant explicit permission to admin for the dataset
|
|
c.post(
|
|
"/api/admin/permissions",
|
|
json={"user_id": "admin1", "dataset": "some_table", "access": "read"},
|
|
headers=_auth(admin_token),
|
|
)
|
|
|
|
resp = c.put(
|
|
"/api/settings/dataset",
|
|
json={"dataset": "some_table", "enabled": False},
|
|
headers=_auth(admin_token),
|
|
)
|
|
assert resp.status_code == 200
|
|
assert resp.json()["enabled"] is False
|