test(authorization): cover end-to-end ACL filtering for authorized_users

devGregA · devGregA · commit cc0c92736b7e · 2026-04-30T09:25:50.000-06:00
Existing tests verified user_has_permission() flips when an admin adds /
removes via the new endpoints, but did not exercise the actual
view-level gating. New cases assert end-to-end via the Django test
client:

* unauthorized non-staff hitting view_product / view_product_type 400s
  (handler403 → custom_unauthorized_view)
* authorized user (direct or cascading via product_type) gets 200
* the product list page filters by membership (unauthorized user does
  not see the product; authorized member does)
* product_type cascade is visible — adding to Product_Type.authorized_users
  surfaces its products in the product list for the cascade member
diff --git a/unittests/test_authorized_users_ui.py b/unittests/test_authorized_users_ui.py
@@ -93,6 +93,31 @@ def test_panel_renders_with_authorized_user_listed(self):
         self.assertNotIn(">Members</h4>", body)
         self.assertNotIn(">Groups</h4>", body)
 
+    def test_unauthorized_user_locked_out_of_detail(self):
+        self.client.force_login(self.bystander)
+        response = self.client.get(reverse("view_product", args=(self.product.id,)))
+        # custom_unauthorized_view (handler403) renders with status=400.
+        self.assertEqual(response.status_code, 400)
+
+    def test_authorized_user_can_view_detail(self):
+        self.product.authorized_users.add(self.target)
+        self.client.force_login(self.target)
+        response = self.client.get(reverse("view_product", args=(self.product.id,)))
+        self.assertEqual(response.status_code, 200)
+
+    def test_unauthorized_user_does_not_see_product_in_list(self):
+        self.client.force_login(self.bystander)
+        response = self.client.get(reverse("product"))
+        self.assertEqual(response.status_code, 200)
+        self.assertNotIn(self.product.name, response.content.decode("utf-8"))
+
+    def test_authorized_user_sees_product_in_list(self):
+        self.product.authorized_users.add(self.target)
+        self.client.force_login(self.target)
+        response = self.client.get(reverse("product"))
+        self.assertEqual(response.status_code, 200)
+        self.assertIn(self.product.name, response.content.decode("utf-8"))
+
 
 class TestProductTypeAuthorizedUsersUI(AuthorizedUsersUIBaseTestCase):
 
@@ -144,3 +169,28 @@ def test_panel_renders_with_authorized_user_listed(self):
         self.assertIn(self.target.username, body)
         self.assertNotIn(">Members</h4>", body)
         self.assertNotIn(">Groups</h4>", body)
+
+    def test_unauthorized_user_locked_out_of_detail(self):
+        self.client.force_login(self.bystander)
+        response = self.client.get(reverse("view_product_type", args=(self.pt.id,)))
+        self.assertEqual(response.status_code, 400)
+
+    def test_authorized_user_can_view_detail(self):
+        self.pt.authorized_users.add(self.target)
+        self.client.force_login(self.target)
+        response = self.client.get(reverse("view_product_type", args=(self.pt.id,)))
+        self.assertEqual(response.status_code, 200)
+
+    def test_authorized_user_sees_cascading_product_in_list(self):
+        # cascade: membership on the product_type grants access to its products
+        self.pt.authorized_users.add(self.target)
+        self.client.force_login(self.target)
+        response = self.client.get(reverse("product"))
+        self.assertEqual(response.status_code, 200)
+        self.assertIn(self.product.name, response.content.decode("utf-8"))
+
+    def test_unauthorized_user_does_not_see_product_type_in_list(self):
+        self.client.force_login(self.bystander)
+        response = self.client.get(reverse("product_type"))
+        self.assertEqual(response.status_code, 200)
+        self.assertNotIn(self.pt.name, response.content.decode("utf-8"))
