4bade795fd
Unit (`tests/unit/test_user_schemas.py`): - 4 tests on `UserCreate` (happy path, password min length, email validation, invalid type). - 2 tests on `UserUpdate` (all-optional, password validation when set). - 3 tests on `EngagementMemberCreate` (default `"member"`, explicit role, max-length 40). - 4 tests on `PageQuery` (defaults, offset arithmetic, page_size cap, page lower bound). Integration (`tests/integration/test_user_mgmt_e2e.py`, marked `integration`): - The critical MA6-in-practice flow: rt_lead creates rt_operator, assigns to engagement A, the operator signs in, lists engagements and sees only A, `GET /engagements/B` returns 404 (anti-leak), `GET /engagements/B/members` returns 404 too, `/engagements/A/members` is reachable, `GET /users` is forbidden for the operator. - `USER_MANAGE` gate: anonymous → 401, operator session → 403, lead session → 200. - 409 `email_taken` on duplicate `POST /users`. - `/audit/log` is lead-only, paginates with `page_size`, filters by `?action=`. - Disabling a user blocks subsequent logins (same uniform `invalid_credentials` envelope as for bad passwords — no enumeration leak of "this account was disabled"). 74 unit tests pass (61 sprint 1 + 13 sprint 2); integration tests run on the testcontainers Postgres fixture in CI.
9.3 KiB
9.3 KiB