@@ -1440,43 +1440,39 @@ def test_user_cannot_see_other_users_rules(self):
14401440 self .assertNotIn (self .token2 .token , user1_tokens )
14411441 self .assertNotIn (self .token1 .token , user2_tokens )
14421442
1443- def test_admin_can_see_all_rules (self ):
1444- """An admin should be able to see any user's rules."""
1443+ def test_admin_also_can_only_see_own_rules (self ):
1444+ """An admin should only be able to see their own rules, not other users' rules."""
14451445 self .client .login (username = "admin" , password = "admin" )
14461446
1447- # Admin can see user1's rules
1447+ # Admin should NOT be able to see user1's rules
14481448 response1 = self .client .get (self .user1_url )
1449- self .assertEqual (response1 .status_code , 200 )
1450- self .assertIn ("rules" , response1 .data )
1451- self .assertIsInstance (response1 .data ["rules" ], list )
1452-
1453- # Extract user1's tokens from admin's response
1454- user1_tokens = []
1455- for rule in response1 .data ["rules" ]:
1456- if "params" in rule and "access_token" in rule ["params" ]:
1457- user1_tokens .append (rule ["params" ]["access_token" ])
1458- elif "headers" in rule and "Authorization" in rule ["headers" ]:
1459- token = rule ["headers" ]["Authorization" ].split ()[- 1 ]
1460- user1_tokens .append (token )
1449+ self .assertEqual (response1 .status_code , 403 )
1450+ self .assertIn ("error" , response1 .data )
1451+ self .assertIn ("permission" , str (response1 .data ["error" ]).lower ())
14611452
1462- # Admin can see user2's rules
1453+ # Admin should NOT be able to see user2's rules
14631454 response2 = self .client .get (self .user2_url )
1464- self .assertEqual (response2 .status_code , 200 )
1465- self .assertIn ("rules" , response2 .data )
1466- self .assertIsInstance (response2 .data ["rules" ], list )
1467-
1468- # Extract user2's tokens from admin's response
1469- user2_tokens = []
1470- for rule in response2 .data ["rules" ]:
1455+ self .assertEqual (response2 .status_code , 403 )
1456+ self .assertIn ("error" , response2 .data )
1457+ self .assertIn ("permission" , str (response2 .data ["error" ]).lower ())
1458+
1459+ # Admin should be able to see their own rules
1460+ response_admin = self .client .get (self .admin_url )
1461+ self .assertEqual (response_admin .status_code , 200 )
1462+ self .assertIn ("rules" , response_admin .data )
1463+ self .assertIsInstance (response_admin .data ["rules" ], list )
1464+
1465+ # Extract admin's tokens from the response
1466+ admin_tokens = []
1467+ for rule in response_admin .data ["rules" ]:
14711468 if "params" in rule and "access_token" in rule ["params" ]:
1472- user2_tokens .append (rule ["params" ]["access_token" ])
1469+ admin_tokens .append (rule ["params" ]["access_token" ])
14731470 elif "headers" in rule and "Authorization" in rule ["headers" ]:
14741471 token = rule ["headers" ]["Authorization" ].split ()[- 1 ]
1475- user2_tokens .append (token )
1472+ admin_tokens .append (token )
14761473
1477- # Verify admin can see both users' tokens
1478- self .assertIn (self .token1 .token , user1_tokens )
1479- self .assertIn (self .token2 .token , user2_tokens )
1480-
1481- # Verify tokens are different
1482- self .assertNotEqual (user1_tokens , user2_tokens )
1474+ # Verify admin sees their own token, not other users' tokens
1475+ self .assertEqual (len (admin_tokens ), 3 ) # 3 rules with tokens
1476+ self .assertIn (self .admin_token .token , admin_tokens )
1477+ self .assertNotIn (self .token1 .token , admin_tokens )
1478+ self .assertNotIn (self .token2 .token , admin_tokens )
0 commit comments