feat: hide invite-only networks from non-admin users in listing

2026-05-30 06:40:49 +00:00
parent 2aad17f5e0
commit 55f24ea9e5
4 changed files with 240 additions and 2 deletions
@@ -68,6 +68,85 @@ class TestZeroTierNetworkCRUD:
        result = integration_client.get(f"/organizations/{org['id']}/networks")
        assert_success(result)

+    def test_list_networks_member_hides_invite_only(
+        self, integration_client, create_test_user, create_test_org,
+        create_test_membership, integration_app,
+    ):
+        """TEST: ZT-02a — Member cannot see invite-only networks.
+
+        WHAT:  GET /organizations/<id>/networks as a MEMBER.
+        WHY:   Invite-only networks must be hidden from non-admin users.
+        EXPECTED: 200 OK, invite-only network excluded from results.
+        """
+        from gatehouse_app.models.zerotier.portal_network import PortalNetwork
+        from gatehouse_app.extensions import db as _db
+
+        member = create_test_user(password="MemberPass123!")
+        admin = create_test_user(password="AdminPass123!")
+        org = create_test_org()
+        create_test_membership(member["id"], org["id"], OrganizationRole.MEMBER)
+        create_test_membership(admin["id"], org["id"], OrganizationRole.ADMIN)
+
+        with integration_app.app_context():
+            open_net = PortalNetwork(
+                organization_id=org["id"],
+                name="Open Network",
+                zerotier_network_id="aaaa000000000001",
+                request_mode="open",
+                owner_user_id=admin["id"],
+            )
+            _db.session.add(open_net)
+            invite_net = PortalNetwork(
+                organization_id=org["id"],
+                name="Invite Only Network",
+                zerotier_network_id="aaaa000000000002",
+                request_mode="invite_only",
+                owner_user_id=admin["id"],
+            )
+            _db.session.add(invite_net)
+            _db.session.commit()
+
+        integration_client.auth.login(email=member["email"], password="MemberPass123!")
+        result = integration_client.get(f"/organizations/{org['id']}/networks")
+        data = assert_success(result)
+        network_names = [n["name"] for n in data["networks"]]
+        assert "Open Network" in network_names
+        assert "Invite Only Network" not in network_names
+
+    def test_list_networks_admin_sees_invite_only(
+        self, integration_client, create_test_user, create_test_org,
+        create_test_membership, integration_app,
+    ):
+        """TEST: ZT-02b — Admin can see invite-only networks.
+
+        WHAT:  GET /organizations/<id>/networks as an ADMIN.
+        WHY:   Admins need visibility into all networks.
+        EXPECTED: 200 OK, invite-only network included in results.
+        """
+        from gatehouse_app.models.zerotier.portal_network import PortalNetwork
+        from gatehouse_app.extensions import db as _db
+
+        admin = create_test_user(password="AdminPass123!")
+        org = create_test_org()
+        create_test_membership(admin["id"], org["id"], OrganizationRole.ADMIN)
+
+        with integration_app.app_context():
+            invite_net = PortalNetwork(
+                organization_id=org["id"],
+                name="Hidden Network",
+                zerotier_network_id="bbbb000000000001",
+                request_mode="invite_only",
+                owner_user_id=admin["id"],
+            )
+            _db.session.add(invite_net)
+            _db.session.commit()
+
+        integration_client.auth.login(email=admin["email"], password="AdminPass123!")
+        result = integration_client.get(f"/organizations/{org['id']}/networks")
+        data = assert_success(result)
+        network_names = [n["name"] for n in data["networks"]]
+        assert "Hidden Network" in network_names
+
    def test_create_network_non_admin_negative(self, integration_client, create_test_user, create_test_org, create_test_membership):
        """TEST: ZT-03 — Reject network creation as member.