test: add multi-user data isolation tests

asheshv · asheshv · commit 2e5999832595 · 2026-04-08T15:56:47.000+05:30
- ServerGroupIsolationTestCase: verify non-admin cannot fetch
  another user's server group properties
- ServerDataIsolationGetTestCase: verify non-admin cannot access
  another user's private server
- SharedServerAccessTestCase: verify shared servers remain
  accessible cross-user (positive regression test)

Tests use create_user_wise_test_client pattern and only run in
SERVER_MODE with pgAdmin4_test_non_admin_credentials configured.
diff --git a/web/pgadmin/browser/server_groups/servers/tests/test_server_data_isolation.py b/web/pgadmin/browser/server_groups/servers/tests/test_server_data_isolation.py
@@ -0,0 +1,121 @@
+##########################################################################
+#
+# pgAdmin 4 - PostgreSQL Tools
+#
+# Copyright (C) 2013 - 2026, The pgAdmin Development Team
+# This software is released under the PostgreSQL Licence
+#
+##########################################################################
+
+"""Tests for server data isolation between users in server mode."""
+
+import json
+import config
+from pgadmin.utils.route import BaseTestGenerator
+from regression.python_test_utils import test_utils as utils
+from regression.test_setup import config_data
+from regression.python_test_utils.test_utils import \
+    create_user_wise_test_client
+from . import utils as servers_utils
+
+test_user_details = None
+if config.SERVER_MODE:
+    test_user_details = \
+        config_data['pgAdmin4_test_non_admin_credentials']
+
+
+class ServerDataIsolationGetTestCase(BaseTestGenerator):
+    """Verify that a non-admin user cannot access another user's
+    private (non-shared) server by ID."""
+
+    scenarios = [
+        ('User B gets 410 for User A private server',
+         dict(is_positive_test=False)),
+    ]
+
+    def setUp(self):
+        if not config.SERVER_MODE:
+            self.skipTest(
+                'Data isolation tests only apply to server mode.'
+            )
+
+        # Create a private (non-shared) server as the admin user
+        self.server['shared'] = False
+        url = "/browser/server/obj/{0}/".format(utils.SERVER_GROUP)
+        response = self.tester.post(
+            url,
+            data=json.dumps(self.server),
+            content_type='html/json'
+        )
+        response_data = json.loads(response.data.decode('utf-8'))
+        self.server_id = response_data['node']['_id']
+
+    @create_user_wise_test_client(test_user_details)
+    def runTest(self):
+        """Non-admin user should NOT be able to GET another user's
+        private server."""
+        if not self.server_id:
+            raise Exception("Server not found to test isolation")
+
+        url = '/browser/server/obj/{0}/{1}'.format(
+            utils.SERVER_GROUP, self.server_id)
+        response = self.tester.get(url, follow_redirects=True)
+        # Expect 410 Gone (server not accessible to this user)
+        self.assertIn(
+            response.status_code, [404, 410],
+            'Non-admin user should not access another user\'s '
+            'private server. Got status {0}'.format(
+                response.status_code)
+        )
+
+    def tearDown(self):
+        # Clean up with the admin tester (which owns the server)
+        utils.delete_server_with_api(
+            self.__class__.tester, self.server_id)
+
+
+class SharedServerAccessTestCase(BaseTestGenerator):
+    """Verify that a shared server IS accessible by a non-admin
+    user (positive test — shared servers should work after the
+    isolation fixes)."""
+
+    scenarios = [
+        ('User B can access shared server from User A',
+         dict(is_positive_test=True)),
+    ]
+
+    def setUp(self):
+        if not config.SERVER_MODE:
+            self.skipTest(
+                'Data isolation tests only apply to server mode.'
+            )
+
+        # Create a shared server as the admin user
+        self.server['shared'] = True
+        url = "/browser/server/obj/{0}/".format(utils.SERVER_GROUP)
+        response = self.tester.post(
+            url,
+            data=json.dumps(self.server),
+            content_type='html/json'
+        )
+        response_data = json.loads(response.data.decode('utf-8'))
+        self.server_id = response_data['node']['_id']
+
+    @create_user_wise_test_client(test_user_details)
+    def runTest(self):
+        """Non-admin user SHOULD be able to GET a shared server."""
+        if not self.server_id:
+            raise Exception("Server not found to test shared access")
+
+        url = '/browser/server/obj/{0}/{1}'.format(
+            utils.SERVER_GROUP, self.server_id)
+        response = self.tester.get(url, follow_redirects=True)
+        self.assertEqual(
+            response.status_code, 200,
+            'Non-admin user should be able to access shared server.'
+            ' Got status {0}'.format(response.status_code)
+        )
+
+    def tearDown(self):
+        utils.delete_server_with_api(
+            self.__class__.tester, self.server_id)
diff --git a/web/pgadmin/browser/server_groups/tests/test_sg_data_isolation.py b/web/pgadmin/browser/server_groups/tests/test_sg_data_isolation.py
@@ -0,0 +1,73 @@
+##########################################################################
+#
+# pgAdmin 4 - PostgreSQL Tools
+#
+# Copyright (C) 2013 - 2026, The pgAdmin Development Team
+# This software is released under the PostgreSQL Licence
+#
+##########################################################################
+
+"""Tests for ServerGroup data isolation between users in server mode."""
+
+import json
+import config
+from pgadmin.utils.route import BaseTestGenerator
+from regression.python_test_utils import test_utils as utils
+from regression.test_setup import config_data
+from regression.python_test_utils.test_utils import \
+    create_user_wise_test_client
+from pgadmin.model import db, ServerGroup
+
+test_user_details = None
+if config.SERVER_MODE:
+    test_user_details = \
+        config_data['pgAdmin4_test_non_admin_credentials']
+
+
+class ServerGroupIsolationTestCase(BaseTestGenerator):
+    """Verify that a non-admin user cannot fetch another user's
+    server group properties by ID."""
+
+    scenarios = [
+        ('User B cannot fetch User A server group properties',
+         dict(is_positive_test=False)),
+    ]
+
+    def setUp(self):
+        if not config.SERVER_MODE:
+            self.skipTest(
+                'Data isolation tests only apply to server mode.'
+            )
+
+        # Create a server group as the admin user
+        url = '/browser/server_group/obj/'
+        response = self.tester.post(
+            url,
+            data=json.dumps({'name': 'isolation_test_group'}),
+            content_type='html/json'
+        )
+        response_data = json.loads(response.data.decode('utf-8'))
+        self.sg_id = response_data['node']['_id']
+
+    @create_user_wise_test_client(test_user_details)
+    def runTest(self):
+        """Non-admin user should NOT see another user's server
+        group properties."""
+        if not self.sg_id:
+            raise Exception("Server group not created")
+
+        url = '/browser/server_group/obj/{0}'.format(self.sg_id)
+        response = self.tester.get(url, content_type='html/json')
+        self.assertIn(
+            response.status_code, [404, 410],
+            'Non-admin user should not access another user\'s '
+            'server group. Got status {0}'.format(
+                response.status_code)
+        )
+
+    def tearDown(self):
+        # Clean up with admin
+        sg = ServerGroup.query.filter_by(id=self.sg_id).first()
+        if sg:
+            db.session.delete(sg)
+            db.session.commit()
