squash!: Add tests

rodmgwgu · rodmgwgu · commit 5a8c242727b7 · 2026-03-31T17:38:59.000-06:00
diff --git a/openedx_authz/rest_api/v1/views.py b/openedx_authz/rest_api/v1/views.py
@@ -463,7 +463,6 @@ class TeamMembersAPIView(APIView):
     """
 
     pagination_class = AuthZAPIViewPagination
-    permission_classes = [DynamicScopePermission]  # TODO check if this is needed/works
 
     @apidocs.schema(
         parameters=[
@@ -481,7 +480,6 @@ class TeamMembersAPIView(APIView):
             status.HTTP_401_UNAUTHORIZED: "The user is not authenticated or does not have the required permissions",
         },
     )
-    @authz_permissions([permissions.VIEW_LIBRARY.identifier])
     def get(self, request: HttpRequest) -> Response:
         """Retrieve all users that have at least one assignation according to the filtering fields."""
         serializer = ListTeamMembersSerializer(data=request.query_params)
diff --git a/openedx_authz/tests/api/test_roles.py b/openedx_authz/tests/api/test_roles.py
@@ -27,6 +27,7 @@
     _get_field_index_and_values,
     assign_role_to_subject_in_scope,
     batch_assign_role_to_subjects_in_scope,
+    get_all_subject_role_assignments,
     get_all_subject_role_assignments_in_scope,
     get_permissions_for_active_roles_in_scope,
     get_permissions_for_single_role,
@@ -1110,6 +1111,43 @@ def test_get_all_role_assignments_in_scope(self, scope_name, expected_assignment
         for assignment in role_assignments:
             self.assertIn(assignment, expected_assignments)
 
+    def test_get_all_subject_role_assignments(self):
+        """Test retrieving all role assignments across all subjects and scopes.
+
+        Expected result:
+            - Returns all role assignments present in the system.
+            - Each assignment includes subject, role, and scope.
+            - Known assignments from the test setup are present in the result.
+        """
+        role_assignments = get_all_subject_role_assignments()
+
+        self.assertGreater(len(role_assignments), 0)
+
+        # Verify each assignment has the expected structure
+        for assignment in role_assignments:
+            self.assertIsNotNone(assignment.subject)
+            self.assertIsNotNone(assignment.scope)
+            self.assertTrue(len(assignment.roles) > 0)
+            for role in assignment.roles:
+                self.assertIsNotNone(role.external_key)
+
+        # Verify known assignments from setup are present
+        subject_scope_role_triples = {
+            (a.subject.external_key, a.scope.external_key, a.roles[0].external_key) for a in role_assignments
+        }
+        self.assertIn(
+            ("alice", "lib:Org1:math_101", roles.LIBRARY_ADMIN.external_key),
+            subject_scope_role_triples,
+        )
+        self.assertIn(
+            ("eve", "lib:Org2:physics_401", roles.LIBRARY_ADMIN.external_key),
+            subject_scope_role_triples,
+        )
+        self.assertIn(
+            ("liam", "lib:Org4:art_101", roles.LIBRARY_AUTHOR.external_key),
+            subject_scope_role_triples,
+        )
+
     def test_assign_role_creates_extended_casbin_rule(self):
         """Test that assigning a role creates an ExtendedCasbinRule record.
 
diff --git a/openedx_authz/tests/api/test_users.py b/openedx_authz/tests/api/test_users.py
@@ -7,6 +7,7 @@
     assign_role_to_user_in_scope,
     batch_assign_role_to_users_in_scope,
     batch_unassign_role_from_users,
+    get_all_user_role_assignments,
     get_all_user_role_assignments_in_scope,
     get_user_role_assignments,
     get_user_role_assignments_for_role_in_scope,
@@ -290,6 +291,43 @@ def test_unassign_all_roles_from_user_removes_all_assignments(self, username, sc
             )
             self.assertEqual(len(scope_assignments), 0)
 
+    def test_get_all_user_role_assignments(self):
+        """Test retrieving all role assignments across all users and scopes.
+
+        Expected result:
+            - Returns all role assignments present in the system.
+            - Each assignment includes subject, role, and scope.
+            - Known assignments from the test setup are present in the result.
+        """
+        role_assignments = get_all_user_role_assignments()
+
+        self.assertGreater(len(role_assignments), 0)
+
+        # Verify each assignment has the expected structure
+        for assignment in role_assignments:
+            self.assertIsNotNone(assignment.subject)
+            self.assertIsNotNone(assignment.scope)
+            self.assertTrue(len(assignment.roles) > 0)
+            for role in assignment.roles:
+                self.assertIsNotNone(role.external_key)
+
+        # Verify known assignments from setup are present
+        user_scope_role_triples = {
+            (a.subject.username, a.scope.external_key, a.roles[0].external_key) for a in role_assignments
+        }
+        self.assertIn(
+            ("alice", "lib:Org1:math_101", roles.LIBRARY_ADMIN.external_key),
+            user_scope_role_triples,
+        )
+        self.assertIn(
+            ("eve", "lib:Org2:physics_401", roles.LIBRARY_ADMIN.external_key),
+            user_scope_role_triples,
+        )
+        self.assertIn(
+            ("liam", "lib:Org4:art_101", roles.LIBRARY_AUTHOR.external_key),
+            user_scope_role_triples,
+        )
+
     def test_unassign_all_roles_from_user_with_no_roles_returns_false(self):
         """Test that unassigning a user with no roles returns False.
 
diff --git a/openedx_authz/tests/rest_api/test_views.py b/openedx_authz/tests/rest_api/test_views.py
@@ -853,6 +853,261 @@ def test_put_accepts_valid_full_course_key_scope(self, _mock_exists, _mock_assig
         self.assertEqual(len(response.data["completed"]), 1)
 
 
+@ddt
+class TestTeamMembersAPIView(ViewTestMixin):
+    """
+    Test suite for TeamMembersAPIView.
+
+    Setup summary (from ViewTestMixin.setUpClass):
+        lib:Org1:LIB1 → admin_1 (library_admin), regular_1 (library_user), regular_2 (library_user)  [3 users]
+        lib:Org2:LIB2 → admin_2 (library_user),  regular_3 (library_user),  regular_4 (library_user) [3 users]
+        lib:Org3:LIB3 → admin_3 (library_admin), regular_5 (library_admin), regular_6 (library_author),
+                        regular_7 (library_contributor), regular_8 (library_user)                    [5 users]
+
+    Total unique users with assignments: 11
+    (admin_1..3 are staff/superuser; regular_1..8 are plain users)
+
+    Visibility via filter_allowed_assignments:
+        - Staff/superuser: sees all 11 users (is_admin_or_superuser_check grants VIEW_LIBRARY on lib scopes)
+        - regular_1 (library_user in Org1:LIB1): VIEW_LIBRARY granted → sees Org1 members (3)
+        - regular_3 (library_user in Org2:LIB2): VIEW_LIBRARY granted → sees Org2 members (3)
+        - regular_9 (no assignments): sees 0 users
+    """
+
+    def setUp(self):
+        """Set up test fixtures."""
+        super().setUp()
+        self.url = reverse("openedx_authz:user-list")
+        self.get_user_map_patcher = patch(
+            "openedx_authz.rest_api.utils.get_user_map",
+            side_effect=get_user_map_without_profile,
+        )
+        self.get_user_map_patcher.start()
+        self.addCleanup(self.get_user_map_patcher.stop)
+
+    # ------------------------------------------------------------------ #
+    # Visibility: calling user only sees assignments it has view access to #
+    # ------------------------------------------------------------------ #
+
+    @data(
+        # Staff/superuser sees all users across all scopes
+        ("admin_1", 11),
+        # regular_1 has LIBRARY_USER in lib:Org1:LIB1 (VIEW_LIBRARY granted) → sees only Org1 members
+        ("regular_1", 3),
+        # regular_3 has LIBRARY_USER in lib:Org2:LIB2 → sees only Org2 members
+        ("regular_3", 3),
+        # regular_9 has no assignments → sees nothing
+        ("regular_9", 0),
+    )
+    @unpack
+    def test_visibility_limited_to_accessible_scopes(self, username: str, expected_count: int):
+        """Calling user only sees assignments for scopes it has view access to.
+
+        Expected result:
+            - Staff/superuser sees all users across all scopes.
+            - Regular users only see members of scopes they can view.
+            - Users with no assignments see no results.
+        """
+        user = User.objects.get(username=username)
+        self.client.force_authenticate(user=user)
+
+        response = self.client.get(self.url)
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data["count"], expected_count)
+
+    def test_unauthenticated_returns_401(self):
+        """Unauthenticated requests are rejected.
+
+        Expected result:
+            - Returns 401 UNAUTHORIZED.
+        """
+        self.client.force_authenticate(user=None)
+
+        response = self.client.get(self.url)
+
+        self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
+
+    # ------------------------------------------------------------------ #
+    # Filter by scopes                                                     #
+    # ------------------------------------------------------------------ #
+
+    @data(
+        # Single scope
+        ("lib:Org1:LIB1", 3),
+        ("lib:Org2:LIB2", 3),
+        ("lib:Org3:LIB3", 5),
+        # Multiple scopes (users are unique per scope, no overlap)
+        ("lib:Org1:LIB1,lib:Org2:LIB2", 6),
+        ("lib:Org1:LIB1,lib:Org3:LIB3", 8),
+        ("lib:Org1:LIB1,lib:Org2:LIB2,lib:Org3:LIB3", 11),
+        # Non-existent scope returns no results
+        ("lib:Org99:NOLIB", 0),
+    )
+    @unpack
+    def test_filter_by_scopes(self, scopes: str, expected_count: int):
+        """Results are filtered to the requested scopes.
+
+        Expected result:
+            - Only users with assignments in the given scope(s) are returned.
+            - Multiple scopes are OR-combined.
+        """
+        response = self.client.get(self.url, {"scopes": scopes})
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data["count"], expected_count)
+
+    # ------------------------------------------------------------------ #
+    # Filter by orgs                                                       #
+    # ------------------------------------------------------------------ #
+
+    @data(
+        # Single org
+        ("Org1", 3),
+        ("Org2", 3),
+        ("Org3", 5),
+        # Multiple orgs
+        ("Org1,Org2", 6),
+        ("Org1,Org3", 8),
+        ("Org1,Org2,Org3", 11),
+        # Non-existent org returns no results
+        ("OrgX", 0),
+    )
+    @unpack
+    def test_filter_by_orgs(self, orgs: str, expected_count: int):
+        """Results are filtered to the requested orgs.
+
+        Expected result:
+            - Only users with assignments in the given org(s) are returned.
+            - Multiple orgs are OR-combined.
+        """
+        response = self.client.get(self.url, {"orgs": orgs})
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data["count"], expected_count)
+
+    # ------------------------------------------------------------------ #
+    # Search (username, full_name, email)                                  #
+    # ------------------------------------------------------------------ #
+
+    @data(
+        # Exact username match
+        ("admin_1", 1),
+        # Partial username match
+        ("admin", 3),
+        ("regular", 8),
+        # Email match
+        ("admin_1@example.com", 1),
+        ("@example.com", 11),
+        # No match
+        ("nonexistent", 0),
+    )
+    @unpack
+    def test_search(self, search: str, expected_count: int):
+        """Search filters by username, full_name, or email (case-insensitive).
+
+        Expected result:
+            - Returns only users whose username, full_name, or email contains the search term.
+        """
+        response = self.client.get(self.url, {"search": search})
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data["count"], expected_count)
+
+    # ------------------------------------------------------------------ #
+    # Sorting                                                              #
+    # ------------------------------------------------------------------ #
+
+    @data(
+        ("username", "asc"),
+        ("username", "desc"),
+        ("email", "asc"),
+        ("email", "desc"),
+        ("full_name", "asc"),
+        ("full_name", "desc"),
+    )
+    @unpack
+    def test_sorting(self, sort_by: str, order: str):
+        """Results can be sorted by username, full_name, or email in asc/desc order.
+
+        Expected result:
+            - Returns 200 OK.
+            - Results are ordered according to the requested field and direction.
+        """
+        response = self.client.get(self.url, {"sort_by": sort_by, "order": order})
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        values = [item[sort_by] for item in response.data["results"]]
+        expected = sorted(values, key=lambda v: (v or "").lower(), reverse=(order == "desc"))
+        self.assertEqual(values, expected)
+
+    @data(
+        {"sort_by": "invalid"},
+        {"order": "ascending"},
+        {"order": "descending"},
+    )
+    def test_sorting_invalid_params(self, query_params: dict):
+        """Invalid sort_by or order values return 400.
+
+        Expected result:
+            - Returns 400 BAD REQUEST.
+        """
+        response = self.client.get(self.url, query_params)
+
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+
+    # ------------------------------------------------------------------ #
+    # Pagination                                                           #
+    # ------------------------------------------------------------------ #
+
+    @data(
+        ({"page": 1, "page_size": 5}, 5, True),
+        ({"page": 2, "page_size": 5}, 5, True),
+        ({"page": 3, "page_size": 5}, 1, False),
+        ({"page": 1, "page_size": 11}, 11, False),
+        ({"page": 1, "page_size": 6}, 6, True),
+    )
+    @unpack
+    def test_pagination(self, query_params: dict, expected_page_count: int, has_next: bool):
+        """Results are paginated correctly.
+
+        Expected result:
+            - Returns 200 OK.
+            - Page contains the expected number of items.
+            - `next` link is present only when more pages exist.
+        """
+        response = self.client.get(self.url, query_params)
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data["count"], 11)
+        self.assertEqual(len(response.data["results"]), expected_page_count)
+        if has_next:
+            self.assertIsNotNone(response.data["next"])
+        else:
+            self.assertIsNone(response.data["next"])
+
+    # ------------------------------------------------------------------ #
+    # Response shape                                                       #
+    # ------------------------------------------------------------------ #
+
+    def test_response_shape(self):
+        """Each result item contains the expected fields.
+
+        Expected result:
+            - Returns 200 OK.
+            - Each item has username, full_name, email, and assignation_count.
+        """
+        response = self.client.get(self.url, {"scopes": "lib:Org1:LIB1"})
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        for item in response.data["results"]:
+            self.assertIn("username", item)
+            self.assertIn("full_name", item)
+            self.assertIn("email", item)
+            self.assertIn("assignation_count", item)
+            self.assertEqual(item["assignation_count"], 1)
+
+
 @ddt
 class TestRoleListView(ViewTestMixin):
     """Test suite for RoleListView."""
diff --git a/openedx_authz/tests/test_enforcement.py b/openedx_authz/tests/test_enforcement.py
