curo/kite
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

test(05-11): add failing tests for delete_user password verification

Browse Source 
- test_delete_user_correct_password: 204 on correct admin password
- test_delete_user_wrong_password: 403 on wrong password, user survives
- test_delete_user_no_body: 422 when no body provided (Pydantic validation)
This commit is contained in:
curo1305
2026-05-30 11:37:12 +02:00
parent bd3b637d30
commit 8727592bff
1 changed files with 55 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/tests/test_admin_api.py
+55
View File
@@ -355,3 +355,58 @@ async def test_admin_response_no_password_hash(admin_client):
for item in data["items"]: for item in data["items"]:
assert "password_hash" not in item assert "password_hash" not in item
assert "credentials_enc" not in item assert "credentials_enc" not in item
# ── Delete user tests (Plan 05-11: ADMIN-02, SEC-09) ─────────────────────────
@pytest.mark.asyncio
async def test_delete_user_correct_password(admin_client):
"""DELETE /api/admin/users/{id} with correct admin_password → 204; user is gone."""
client, admin, session = admin_client
target = await make_regular_user(session)
resp = await client.request(
"DELETE",
f"/api/admin/users/{target.id}",
json={"admin_password": "AdminPass1!Secret"},
)
assert resp.status_code == 204
# Verify the user no longer appears in the list
list_resp = await client.get("/api/admin/users")
assert list_resp.status_code == 200
ids = [u["id"] for u in list_resp.json()["items"]]
assert str(target.id) not in ids
@pytest.mark.asyncio
async def test_delete_user_wrong_password(admin_client):
"""DELETE /api/admin/users/{id} with wrong admin_password → 403; user is NOT deleted."""
client, admin, session = admin_client
target = await make_regular_user(session)
resp = await client.request(
"DELETE",
f"/api/admin/users/{target.id}",
json={"admin_password": "WrongPassword99!"},
)
assert resp.status_code == 403
data = resp.json()
assert data["detail"] == "Invalid admin password"
# Verify the user still exists
list_resp = await client.get("/api/admin/users")
assert list_resp.status_code == 200
ids = [u["id"] for u in list_resp.json()["items"]]
assert str(target.id) in ids
@pytest.mark.asyncio
async def test_delete_user_no_body(admin_client):
"""DELETE /api/admin/users/{id} with no body → 422 (Pydantic validation)."""
client, admin, session = admin_client
target = await make_regular_user(session)
resp = await client.delete(f"/api/admin/users/{target.id}")
assert resp.status_code == 422