feat: update audit platform workspace

tests/test_rule_write_scope.py

@@ -1,5 +1,6 @@
 from fastapi_common.fastapi_common_web.domain.responses import StatusCodeEnum
 from fastapi_common.fastapi_common_web.exception.LeauditException import LeauditException
+import pytest
 
 from fastapi_modules.fastapi_leaudit.services.impl.rbacAdminServiceImpl import RbacAdminServiceImpl
 from fastapi_modules.fastapi_leaudit.services.impl.rbacServiceImpl import RbacServiceImpl
@@ -225,3 +226,25 @@ def test_permission_cache_is_shared_and_can_invalidate_user():
     PermissionServiceImpl.InvalidateUser(12345)
     assert 12345 not in first._permission_cache
     assert 12345 not in second._permission_cache
+
+
+@pytest.mark.asyncio
+async def test_rbac_admin_permission_assertion_uses_permission_service(monkeypatch):
+    service = RbacAdminServiceImpl()
+    checked_permissions: list[tuple[int, str]] = []
+
+    async def fake_context(user_id: int):
+        return {"can_manage": True, "is_super_admin": False}
+
+    async def fake_check_permission(self, user_id: int, permission_key: str):
+        checked_permissions.append((user_id, permission_key))
+        return permission_key != "rbac:roles:update"
+
+    monkeypatch.setattr(service, "_getCurrentUserContext", fake_context)
+    monkeypatch.setattr(PermissionServiceImpl, "CheckPermission", fake_check_permission)
+
+    with pytest.raises(LeauditException) as exc_info:
+        await service._assertPermissions(99, ["rbac:roles:update"])
+
+    assert exc_info.value.status == StatusCodeEnum.HTTP_403_FORBIDDEN
+    assert checked_permissions == [(99, "rbac:roles:update")]