feat: Implement admin role validation and enhance user management scripts

2026-02-08 23:19:30 -05:00
parent 060b2953fa
commit 27f02224ab
8 changed files with 227 additions and 34 deletions
--- a/backend/tests/test_admin_api.py
+++ b/backend/tests/test_admin_api.py
@@ -39,7 +39,8 @@ def admin_user():
        marked_for_deletion=False,
        marked_for_deletion_at=None,
        deletion_in_progress=False,
-        deletion_attempted_at=None
+        deletion_attempted_at=None,
+        role='admin'
    )
    users_db.insert(user.to_dict())
    
@@ -63,7 +64,8 @@ def setup_deletion_queue():
        marked_for_deletion=False,
        marked_for_deletion_at=None,
        deletion_in_progress=False,
-        deletion_attempted_at=None
+        deletion_attempted_at=None,
+        role='admin'
    )
    users_db.insert(admin.to_dict())
    
@@ -185,7 +187,8 @@ class TestGetDeletionQueue:
            marked_for_deletion=False,
            marked_for_deletion_at=None,
            deletion_in_progress=False,
-            deletion_attempted_at=None
+            deletion_attempted_at=None,
+            role='admin'
        )
        users_db.insert(admin.to_dict())
        
@@ -340,7 +343,8 @@ class TestTriggerDeletionQueue:
            marked_for_deletion=False,
            marked_for_deletion_at=None,
            deletion_in_progress=False,
-            deletion_attempted_at=None
+            deletion_attempted_at=None,
+            role='admin'
        )
        users_db.insert(admin.to_dict())
        
@@ -353,14 +357,74 @@ class TestTriggerDeletionQueue:


 class TestAdminRoleValidation:
-    """Tests for admin role validation (placeholder for future implementation)."""
+    """Tests for admin role validation."""
    
    def test_non_admin_user_access(self, client):
        """
        Test that non-admin users cannot access admin endpoints.
+        """
+        users_db.truncate()
        
-        NOTE: This test will need to be updated once admin role validation
-        is implemented. Currently, all authenticated users can access admin endpoints.
+        # Create non-admin user (role='user')
+        user = User(
+            id='regular_user',
+            email='user@example.com',
+            first_name='Test',
+            last_name='User',
+            password='hash',
+            marked_for_deletion=False,
+            marked_for_deletion_at=None,
+            deletion_in_progress=False,
+            deletion_attempted_at=None,
+            role='user'
+        )
+        users_db.insert(user.to_dict())
+        
+        # Create token for non-admin
+        token = jwt.encode({'user_id': 'regular_user'}, 'supersecretkey', algorithm='HS256')
+        
+        client.set_cookie('token', token)
+        response = client.get('/admin/deletion-queue')
+        
+        # Should return 403 Forbidden
+        assert response.status_code == 403
+        data = response.get_json()
+        assert data['code'] == 'ADMIN_REQUIRED'
+        assert 'Admin access required' in data['error']
+    
+    def test_admin_user_access(self, client):
+        """
+        Test that admin users can access admin endpoints.
+        """
+        users_db.truncate()
+        
+        # Create admin user (role='admin')
+        admin = User(
+            id='admin_user',
+            email='admin@example.com',
+            first_name='Admin',
+            last_name='User',
+            password='hash',
+            marked_for_deletion=False,
+            marked_for_deletion_at=None,
+            deletion_in_progress=False,
+            deletion_attempted_at=None,
+            role='admin'
+        )
+        users_db.insert(admin.to_dict())
+        
+        # Create token for admin
+        token = jwt.encode({'user_id': 'admin_user'}, 'supersecretkey', algorithm='HS256')
+        
+        client.set_cookie('token', token)
+        response = client.get('/admin/deletion-queue')
+        
+        # Should succeed
+        assert response.status_code == 200
+    
+    def test_update_threshold_requires_admin(self, client):
+        """
+        Test that updating deletion threshold requires admin role.
        """
        users_db.truncate()
        
@@ -369,26 +433,17 @@ class TestAdminRoleValidation:
            id='regular_user',
            email='user@example.com',
            first_name='Test',
-        last_name='User',
-        password='hash',
-            marked_for_deletion=False,
-            marked_for_deletion_at=None,
-            deletion_in_progress=False,
-            deletion_attempted_at=None
+            last_name='User',
+            password='hash',
+            role='user'
        )
        users_db.insert(user.to_dict())
        
-        # Create token for non-admin
        token = jwt.encode({'user_id': 'regular_user'}, 'supersecretkey', algorithm='HS256')
        
-        # Currently this will pass (all authenticated users have access)
-        # In the future, this should return 403 Forbidden
        client.set_cookie('token', token)
-        response = client.get('/admin/deletion-queue')
+        response = client.put('/admin/deletion-threshold', json={'threshold_hours': 168})
        
-        # TODO: Change to 403 once admin role validation is implemented
-        assert response.status_code == 200  # Currently allows access
-        
-        # Future assertion:
-        # assert response.status_code == 403
-        # assert response.get_json()['code'] == 'FORBIDDEN'
+        assert response.status_code == 403
+        data = response.get_json()
+        assert data['code'] == 'ADMIN_REQUIRED'