[ERSSUP-89806]-[]-[Added IT for user attempting to use app-restricted business functions]-[JW]

nhsd-jack-wainwright · nhsd-jack-wainwright · commit 1ee4f6b9b1b7 · 2025-09-01T15:48:57.000+01:00
diff --git a/tests/integration/test_headers.py b/tests/integration/test_headers.py
@@ -73,6 +73,43 @@ async def test_headers_on_echo_target(
             expected_amr,
         )
 
+    @pytest.mark.asyncio
+    @pytest.mark.parametrize(
+        "business_function",
+        ["PROVIDER_AUTHORISED_APPLICATION", "REFERRER_AUTHORISED_APPLICATION"],
+    )
+    async def test_headers_on_echo_target_with_app_restricted_business_function(
+        self, business_function, authenticate_user, service_url
+    ):
+        user = Actor.RC
+        access_code = await authenticate_user(user)
+        client_request_headers = {
+            _HEADER_ECHO: "",  # enable echo target
+            _HEADER_AUTHORIZATION: "Bearer " + access_code,
+            _HEADER_REQUEST_ID: "DUMMY-VALUE",
+            RenamedHeader.REFERRAL_ID.original: _EXPECTED_REFERRAL_ID,
+            RenamedHeader.CORRELATION_ID.original: _EXPECTED_CORRELATION_ID,
+            RenamedHeader.BUSINESS_FUNCTION.original: business_function,
+            RenamedHeader.ODS_CODE.original: user.org_code,
+            RenamedHeader.FILENAME.original: _EXPECTED_FILENAME,
+            RenamedHeader.COMM_RULE_ORG.original: _EXPECTED_COMM_RULE_ORG,
+            RenamedHeader.OBO_USER_ID.original: _EXPECTED_OBO_USER_ID,
+        }
+
+        # Make the API call
+        response = requests.get(service_url, headers=client_request_headers)
+
+        assert response.status_code == 403, (
+            "Expected a 403 response when attempting to call the endpoint, but instead received a "
+            + str(response.status_code)
+        )
+
+        response_body = response.text()
+        assert response_body == "Forbidden", (
+            "Expected the text 'Forbidden' to be returned in the body of the response when attempting to call the endpoint, but instead received "
+            + response_body
+        )
+
     @pytest.mark.asyncio
     @pytest.mark.parametrize(
         "endpoint_url,is_r4",
@@ -475,7 +512,7 @@ def test_unknown_access_code(
             assert renamed_header.renamed not in client_response_headers
 
     @pytest.mark.asyncio
-    @pytest.mark.parametrize("service_name", [(None)])
+    @pytest.mark.parametrize("service_name", [None])
     async def test_access_code_not_supported(
         self, referring_clinician, authenticate_user, service_url
     ):
