fix: require permission for user role queries

2026-05-28 16:20:20 +08:00
parent 73ab66eb8c
commit 547fdab0b2
2 changed files with 6 additions and 6 deletions
--- a/internal/api/handler/handler_test.go
+++ b/internal/api/handler/handler_test.go
@@ -699,18 +699,18 @@ func TestUserHandler_UpdateUserStatus_RequiresAdmin(t *testing.T) {
 	}
 }

-func TestUserHandler_GetUserRoles_Success(t *testing.T) {
+func TestUserHandler_GetUserRoles_ForbiddenForRegularUser(t *testing.T) {
 	server, cleanup := setupHandlerTestServer(t)
 	defer cleanup()

-	registerUser(server.URL, "rolesadmin", "rolesadmin@test.com", "AdminPass123!")
-	token := getToken(server.URL, "rolesadmin", "AdminPass123!")
+	registerUser(server.URL, "rolesuser", "rolesuser@test.com", "UserPass123!")
+	token := getToken(server.URL, "rolesuser", "UserPass123!")

 	resp, _ := doGet(server.URL+"/api/v1/users/1/roles", token)
 	defer resp.Body.Close()

-	if resp.StatusCode != http.StatusOK {
-		t.Errorf("expected status %d, got %d", http.StatusOK, resp.StatusCode)
+	if resp.StatusCode != http.StatusForbidden {
+		t.Errorf("expected status %d for non-admin user, got %d", http.StatusForbidden, resp.StatusCode)
 	}
 }