steve/restic-manager
1
0
Fork 0
Code Issues Pull Requests Actions Projects Releases 1 Wiki Activity

http: gated test for admin-band reject of operator (lands fully in B4+E1)

Browse Source
This commit is contained in:
Steve Cliff
2026-05-05 09:14:55 +01:00
parent f87ba29836
commit 95aee73e2c
1 changed files with 23 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/server/http/rbac_test.go
+23
View File
@@ -94,3 +94,26 @@ func TestRequireRoleUnauthenticated401OnAPI(t *testing.T) {
t.Errorf("status: got %d want 401", rr.Code)
}
}
func TestAdminBandRejectsOperator(t *testing.T) {
t.Parallel()
// This test will start asserting 403 once Task B4 mounts /api/users
// inside the admin band and Task E1 lands the handler. Until then,
// the route 404s — we skip rather than red-flag the suite.
t.Skip("re-enable after B4 route grouping + E1 /api/users handler land")
srv, urlBase := newTestServer(t, false)
makeUser(t, srv, "admin1", store.RoleAdmin)
opID := makeUser(t, srv, "op1", store.RoleOperator)
cookie := loginAs(t, srv, opID)
req, _ := stdhttp.NewRequest("GET", urlBase+"/api/users", nil)
req.AddCookie(cookie)
res, err := stdhttp.DefaultClient.Do(req)
if err != nil {
t.Fatalf("GET: %v", err)
}
defer res.Body.Close()
if res.StatusCode != stdhttp.StatusForbidden {
t.Errorf("status: got %d want 403", res.StatusCode)
}
}