e4dcfc49aa
Tests / Lint and Format (push) Waiting to run
Tests / Web Node Tests (push) Waiting to run
Tests / Import Check (Python 3.11) (push) Waiting to run
Tests / Import Check (Python 3.12) (push) Waiting to run
Tests / Import Check (Python 3.13) (push) Waiting to run
Tests / Import Check (Python 3.14) (push) Waiting to run
Tests / Python Tests (Python 3.11) (push) Blocked by required conditions
Tests / Python Tests (Python 3.12) (push) Blocked by required conditions
Tests / Python Tests (Python 3.13) (push) Blocked by required conditions
Tests / Python Tests (Python 3.14) (push) Blocked by required conditions
Tests / Test Summary (push) Blocked by required conditions
49 lines
2.0 KiB
Python
49 lines
2.0 KiB
Python
from __future__ import annotations
|
|
|
|
|
|
def test_book_session_ids_are_scoped_per_user(as_user) -> None:
|
|
from deeptutor.book.storage import BookStorage
|
|
from deeptutor.services.session import get_sqlite_session_store, get_turn_runtime_manager
|
|
|
|
shared_book_id = "shared-book-id"
|
|
|
|
with as_user("u_victim"):
|
|
victim_book_root = BookStorage().book_root(shared_book_id)
|
|
victim_session_db = get_sqlite_session_store().db_path
|
|
victim_runtime_store_db = get_turn_runtime_manager().store.db_path
|
|
|
|
with as_user("u_attacker"):
|
|
attacker_book_root = BookStorage().book_root(shared_book_id)
|
|
attacker_session_db = get_sqlite_session_store().db_path
|
|
attacker_runtime_store_db = get_turn_runtime_manager().store.db_path
|
|
|
|
assert victim_book_root != attacker_book_root
|
|
assert victim_session_db != attacker_session_db
|
|
assert victim_runtime_store_db != attacker_runtime_store_db
|
|
assert "u_victim" in str(victim_book_root)
|
|
assert "u_attacker" in str(attacker_book_root)
|
|
|
|
|
|
def test_partner_data_is_admin_anchored_not_user_scoped(as_user) -> None:
|
|
"""Partners are process-wide resources anchored at the admin workspace.
|
|
|
|
Unlike the per-user resources above, the partner tree must NOT follow the
|
|
request user's scope: partner runtimes execute inside a synthetic partner
|
|
scope whose own workspace lives below ``data/partners``, so resolving the
|
|
base dir through the contextvar would recurse the layout. Access control
|
|
is enforced at the API layer instead (the /api/v1/partners router is
|
|
admin-gated in ``api/main.py``).
|
|
"""
|
|
from deeptutor.services.partners.manager import PartnerManager
|
|
|
|
manager = PartnerManager()
|
|
|
|
with as_user("u_victim"):
|
|
victim_dir = manager._partners_dir
|
|
with as_user("u_attacker"):
|
|
attacker_dir = manager._partners_dir
|
|
|
|
assert victim_dir == attacker_dir
|
|
assert str(victim_dir).endswith("data/partners")
|
|
assert "u_victim" not in str(victim_dir)
|