[test] admin paths (#3494)

tests/api/test_generic.py

@@ -1,5 +1,7 @@
 import pytest
 
+from lnbits.core.models.users import User
+
 
 @pytest.mark.anyio
 async def test_core_views_generic(client):
@@ -50,3 +52,47 @@ async def test_get_extensions_no_user(client):
     response = await client.get("extensions")
     # bad request
     assert response.status_code == 401, f"{response.url} {response.status_code}"
+
+
+ADMIN_PATHS = [
+    "/users",
+    "/audit",
+    "/node",
+    "/admin",
+]
+
+
+# Test admin access to protected paths
+@pytest.mark.anyio
+@pytest.mark.parametrize("path", ADMIN_PATHS)
+async def test_admin_paths_access_granted_for_admin(
+    client, admin_user: User, path: str
+):
+    response = await client.post(
+        "/api/v1/auth", json={"username": admin_user.username, "password": "secret1234"}
+    )
+
+    assert response.status_code == 200, "Admin logs in OK"
+    access_token = response.json().get("access_token")
+    assert access_token is not None
+
+    response = await client.get(
+        path, headers={"Authorization": f"Bearer {access_token}"}
+    )
+    assert (
+        response.status_code == 200
+    ), f"{path} should be accessible for admin, got {response.status_code}"
+
+
+# Test non-admin access to protected paths
+@pytest.mark.anyio
+@pytest.mark.parametrize("path", ADMIN_PATHS)
+async def test_admin_paths_access_denied_for_non_admin(
+    client, to_user: User, path: str
+):
+    client.cookies.clear()
+    response = await client.get(path, params={"usr": to_user.id})
+    assert response.status_code in (
+        401,
+        403,
+    ), f"{path} should be forbidden for non-admin, got {response.status_code}"