From 95aee73e2c455519a7755cebc24702f4a8f82011 Mon Sep 17 00:00:00 2001
From: Steve Cliff <steve@devcloud.guru>
Date: Tue, 5 May 2026 09:14:55 +0100
Subject: [PATCH] http: gated test for admin-band reject of operator (lands
 fully in B4+E1)

---
 internal/server/http/rbac_test.go | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/internal/server/http/rbac_test.go b/internal/server/http/rbac_test.go
index e4b711d..2e147a8 100644
--- a/internal/server/http/rbac_test.go
+++ b/internal/server/http/rbac_test.go
@@ -94,3 +94,26 @@ func TestRequireRoleUnauthenticated401OnAPI(t *testing.T) {
 		t.Errorf("status: got %d want 401", rr.Code)
 	}
 }
+
+func TestAdminBandRejectsOperator(t *testing.T) {
+	t.Parallel()
+	// This test will start asserting 403 once Task B4 mounts /api/users
+	// inside the admin band and Task E1 lands the handler. Until then,
+	// the route 404s — we skip rather than red-flag the suite.
+	t.Skip("re-enable after B4 route grouping + E1 /api/users handler land")
+	srv, urlBase := newTestServer(t, false)
+	makeUser(t, srv, "admin1", store.RoleAdmin)
+	opID := makeUser(t, srv, "op1", store.RoleOperator)
+	cookie := loginAs(t, srv, opID)
+
+	req, _ := stdhttp.NewRequest("GET", urlBase+"/api/users", nil)
+	req.AddCookie(cookie)
+	res, err := stdhttp.DefaultClient.Do(req)
+	if err != nil {
+		t.Fatalf("GET: %v", err)
+	}
+	defer res.Body.Close()
+	if res.StatusCode != stdhttp.StatusForbidden {
+		t.Errorf("status: got %d want 403", res.StatusCode)
+	}
+}