Files
wehub-resource-sync e4dcfc49aa
Tests / Lint and Format (push) Waiting to run
Tests / Web Node Tests (push) Waiting to run
Tests / Import Check (Python 3.11) (push) Waiting to run
Tests / Import Check (Python 3.12) (push) Waiting to run
Tests / Import Check (Python 3.13) (push) Waiting to run
Tests / Import Check (Python 3.14) (push) Waiting to run
Tests / Python Tests (Python 3.11) (push) Blocked by required conditions
Tests / Python Tests (Python 3.12) (push) Blocked by required conditions
Tests / Python Tests (Python 3.13) (push) Blocked by required conditions
Tests / Python Tests (Python 3.14) (push) Blocked by required conditions
Tests / Test Summary (push) Blocked by required conditions
chore: import upstream snapshot with attribution
2026-07-13 13:00:43 +08:00

79 lines
2.7 KiB
Python

"""Tests for capability-based access: has_capability_access.
As of the multi-user release only the LLM capability is grantable per user, so
gating is LLM-only; embedding/search are shared admin infrastructure. The same
helper backs the turn-runtime gate and the frontend lock, so they always agree.
"""
from deeptutor.multi_user import model_access
from deeptutor.multi_user.context import reset_current_user, set_current_user
from deeptutor.multi_user.models import CurrentUser, UserScope
def make_user(tmp_path, role="user"):
uid = "u_admin" if role == "admin" else "u_alice"
return CurrentUser(
id=uid,
username="admin" if role == "admin" else "alice",
role=role,
scope=UserScope(
kind="admin" if role == "admin" else "user",
user_id=uid,
root=tmp_path / uid,
),
)
def _fake_access(llm=None):
"""Build a redacted_model_access return value with the given llm bucket."""
return lambda _user_id=None: {"llm": list(llm or [])}
def test_admin_always_has_access(tmp_path, monkeypatch):
# Admins are never gated and must not even consult the grant view.
def _boom(_user_id=None):
raise AssertionError("redacted_model_access should not be called for admins")
monkeypatch.setattr(model_access, "redacted_model_access", _boom)
token = set_current_user(make_user(tmp_path, role="admin"))
try:
assert model_access.has_capability_access("llm") is True
finally:
reset_current_user(token)
def test_user_with_available_model_has_access(tmp_path, monkeypatch):
monkeypatch.setattr(
model_access,
"redacted_model_access",
_fake_access(llm=[{"profile_id": "p", "model_id": "m", "available": True}]),
)
token = set_current_user(make_user(tmp_path, role="user"))
try:
assert model_access.has_capability_access("llm") is True
finally:
reset_current_user(token)
def test_user_with_unavailable_model_has_no_access(tmp_path, monkeypatch):
# A granted profile that no longer resolves in the catalog is available=False.
monkeypatch.setattr(
model_access,
"redacted_model_access",
_fake_access(llm=[{"profile_id": "p", "available": False}]),
)
token = set_current_user(make_user(tmp_path, role="user"))
try:
assert model_access.has_capability_access("llm") is False
finally:
reset_current_user(token)
def test_user_with_empty_grant_has_no_access(tmp_path, monkeypatch):
monkeypatch.setattr(model_access, "redacted_model_access", _fake_access())
token = set_current_user(make_user(tmp_path, role="user"))
try:
assert model_access.has_capability_access("llm") is False
finally:
reset_current_user(token)