@@ -259,7 +259,6 @@ def test_permission_validation_staff_superuser_access(self, scope: str, expected
259259
260260 @data (
261261 # Single permission
262- [{"action" : "edit_library" }],
263262 [{"scope" : "lib:Org1:LIB1" }],
264263 [{"action" : "edit_library" , "scope" : "" }],
265264 [{"action" : "edit_library" , "scope" : "s" * 256 }],
@@ -281,10 +280,6 @@ def test_permission_validation_staff_superuser_access(self, scope: str, expected
281280 {"action" : "edit_library" , "scope" : "lib:Org1:LIB1" },
282281 {"scope" : "lib:Org1:LIB1" },
283282 ],
284- [
285- {"action" : "edit_library" , "scope" : "lib:Org1:LIB1" },
286- {"action" : "edit_library" },
287- ],
288283 )
289284 def test_permission_validation_invalid_data (self , invalid_data : list [dict ]):
290285 """Test permission validation with invalid request data.
@@ -296,6 +291,62 @@ def test_permission_validation_invalid_data(self, invalid_data: list[dict]):
296291
297292 self .assertEqual (response .status_code , status .HTTP_400_BAD_REQUEST )
298293
294+ @data (
295+ # Single action the user has in some scope (LIBRARY_USER on lib:Org1:LIB1) - allowed
296+ ([{"action" : permissions .VIEW_LIBRARY .identifier }], [True ]),
297+ # Single action the user has in no scope - denied
298+ ([{"action" : permissions .MANAGE_LIBRARY_TEAM .identifier }], [False ]),
299+ # Multiple actions - mixed results
300+ (
301+ [
302+ {"action" : permissions .VIEW_LIBRARY .identifier },
303+ {"action" : permissions .MANAGE_LIBRARY_TEAM .identifier },
304+ {"action" : permissions .COURSES_MANAGE_COURSE_TEAM .identifier },
305+ ],
306+ [True , False , False ],
307+ ),
308+ )
309+ @unpack
310+ def test_permission_validation_any_scope_success (self , request_data : list [dict ], permission_map : list [bool ]):
311+ """Test permission validation without a scope (any-scope check).
312+
313+ When the scope is omitted, the permission is validated across any scope: the user
314+ is allowed if they hold the permission in at least one scope.
315+
316+ Expected result:
317+ - Returns 200 OK status
318+ - Response omits the scope key and reports the any-scope result
319+ """
320+ self .client .force_authenticate (user = self .regular_user )
321+ expected_response = [
322+ {"action" : perm ["action" ], "allowed" : allowed }
323+ for perm , allowed in zip (request_data , permission_map )
324+ ]
325+
326+ response = self .client .post (self .url , data = request_data , format = "json" )
327+
328+ self .assertEqual (response .status_code , status .HTTP_200_OK )
329+ self .assertEqual (response .data , expected_response )
330+
331+ def test_permission_validation_any_scope_staff_always_allowed (self ):
332+ """Staff/superusers are allowed for any action when no scope is provided.
333+
334+ Expected result:
335+ - Returns 200 OK status
336+ - Every action is allowed regardless of explicit assignments
337+ """
338+ self .client .force_authenticate (user = self .admin_user )
339+ request_data = [
340+ {"action" : permissions .MANAGE_LIBRARY_TEAM .identifier },
341+ {"action" : permissions .COURSES_MANAGE_COURSE_TEAM .identifier },
342+ ]
343+ expected_response = [{"action" : perm ["action" ], "allowed" : True } for perm in request_data ]
344+
345+ response = self .client .post (self .url , data = request_data , format = "json" )
346+
347+ self .assertEqual (response .status_code , status .HTTP_200_OK )
348+ self .assertEqual (response .data , expected_response )
349+
299350 def test_permission_validation_unauthenticated (self ):
300351 """Test permission validation without authentication.
301352
0 commit comments