from __future__ import annotations import pytest from .conftest import SeededUser, TenantSeed from .helpers import ReleaseApiClient @pytest.mark.release def test_global_admin_can_query_cross_tenant_scope( admin_client: ReleaseApiClient, tenant_a: TenantSeed, tenant_b: TenantSeed, ) -> None: data_a = ReleaseApiClient.json_data( admin_client.get(f"/api/v3/rbac/users?page=1&page_size=100&tenant_code={tenant_a.tenant_code}") ) data_b = ReleaseApiClient.json_data( admin_client.get(f"/api/v3/rbac/users?page=1&page_size=100&tenant_code={tenant_b.tenant_code}") ) assert isinstance(data_a["items"], list) assert isinstance(data_b["items"], list) @pytest.mark.release def test_tenant_admin_is_limited_to_own_tenant_scope( tenant_admin_api: ReleaseApiClient, tenant_a: TenantSeed, tenant_b: TenantSeed, tenant_common_user_a: SeededUser, tenant_common_user_b: SeededUser, ) -> None: own_scope = ReleaseApiClient.json_data(tenant_admin_api.get("/api/v3/rbac/users?page=1&page_size=100")) tenant_codes = {str(item.get("tenant_code") or "") for item in own_scope["items"]} assert tenant_a.tenant_code in tenant_codes assert tenant_b.tenant_code not in tenant_codes forbidden_query = tenant_admin_api.get( f"/api/v3/rbac/users?page=1&page_size=20&tenant_code={tenant_b.tenant_code}", expected_status=403, ) assert "不能查询其他租户用户" in forbidden_query.text same_tenant_update = tenant_admin_api.put( f"/api/v3/rbac/users/{tenant_common_user_a.user_id}/tenant", json={"tenant_code": tenant_a.tenant_code}, expected_status=200, ) same_tenant_data = ReleaseApiClient.json_data(same_tenant_update) assert same_tenant_data["tenant_code"] == tenant_a.tenant_code cross_tenant_update = tenant_admin_api.put( f"/api/v3/rbac/users/{tenant_common_user_b.user_id}/tenant", json={"tenant_code": tenant_a.tenant_code}, expected_status=403, ) assert "不能修改其他租户用户" in cross_tenant_update.text @pytest.mark.release def test_common_user_cannot_access_management_but_keeps_business_entry( common_api_a: ReleaseApiClient, release_entry_module: dict, admin_client: ReleaseApiClient, release_config, tenant_a: TenantSeed, tenant_b: TenantSeed, ) -> None: module_id = int(release_entry_module["id"]) module_name = str(release_entry_module["name"]) admin_client.put( f"/api/v3/entry-modules/{module_id}", json={ "name": module_name, "description": "pytest release acceptance only", "path": release_config.module_path, "route_path": release_config.module_path, "tenants": [ { "tenant_code": tenant_a.tenant_code, "tenant_name": tenant_a.tenant_name, "enabled": True, "sort_order": 1, }, { "tenant_code": tenant_b.tenant_code, "tenant_name": tenant_b.tenant_name, "enabled": True, "sort_order": 2, }, ], }, expected_status=200, ) users_response = common_api_a.get("/api/v3/rbac/users?page=1&page_size=20", expected_status=403) assert "系统设置管理权限" in users_response.text tenants_response = common_api_a.get("/api/v3/tenants", expected_status=403) assert "租户" in tenants_response.text home_response = common_api_a.get("/api/home/entry-modules") home_modules = ReleaseApiClient.json_data(home_response) home_names = [str(item.get("name") or "") for item in home_modules] assert module_name in home_names