pinakes-server: expand test coverage for server features

Signed-off-by: NotAShelf <raf@notashelf.dev> Change-Id: Ia09d2d3ad7f6613e21d20321e0877bc16a6a6964
2026-03-20 12:43:43 +03:00 · 2026-03-20 12:43:43 +03:00 · 7d8ec5ffc1
commit 7d8ec5ffc1
parent 4a2136439f
8 changed files with 853 additions and 10 deletions
--- a/crates/pinakes-server/tests/plugin.rs
+++ b/crates/pinakes-server/tests/plugin.rs
@ -2,7 +2,20 @@ mod common;
 use std::sync::Arc;

 use axum::{body::Body, http::StatusCode};
-use common::*;
+use common::{
+  default_config,
+  delete_authed,
+  get,
+  get_authed,
+  patch_json_authed,
+  post_json,
+  post_json_authed,
+  put_json_authed,
+  response_body,
+  setup_app,
+  setup_app_with_auth,
+  test_addr,
+};
 use http_body_util::BodyExt;
 use pinakes_core::{config::PluginsConfig, plugin::PluginManager};
 use tower::ServiceExt;
@ -164,3 +177,98 @@ async fn test_plugin_uninstall_not_found() {
      || response.status() == StatusCode::NOT_FOUND
  );
 }
+
+// RBAC tests using common helpers with auth setup
+
+#[tokio::test]
+async fn media_list_unauthenticated() {
+  let app = setup_app().await;
+  let resp = app.oneshot(get("/api/v1/media")).await.unwrap();
+  assert_eq!(resp.status(), StatusCode::OK);
+  let body = response_body(resp).await;
+  assert!(body.is_array());
+}
+
+#[tokio::test]
+async fn media_list_authenticated() {
+  let (app, _, _, viewer) = setup_app_with_auth().await;
+  let resp = app
+    .clone()
+    .oneshot(get_authed("/api/v1/media", &viewer))
+    .await
+    .unwrap();
+  assert_eq!(resp.status(), StatusCode::OK);
+}
+
+#[tokio::test]
+async fn import_unauthenticated_rejected() {
+  let (app, ..) = setup_app_with_auth().await;
+  let resp = app
+    .clone()
+    .oneshot(post_json(
+      "/api/v1/media/import",
+      r#"{"path":"/tmp/test.txt"}"#,
+    ))
+    .await
+    .unwrap();
+  assert_eq!(resp.status(), StatusCode::UNAUTHORIZED);
+}
+
+#[tokio::test]
+async fn import_viewer_forbidden() {
+  let (app, _, _, viewer) = setup_app_with_auth().await;
+  let resp = app
+    .clone()
+    .oneshot(post_json_authed(
+      "/api/v1/media/import",
+      r#"{"path":"/tmp/test.txt"}"#,
+      &viewer,
+    ))
+    .await
+    .unwrap();
+  assert_eq!(resp.status(), StatusCode::FORBIDDEN);
+}
+
+#[tokio::test]
+async fn update_media_viewer_forbidden() {
+  let (app, _, _, viewer) = setup_app_with_auth().await;
+  let fake_id = uuid::Uuid::now_v7();
+  let resp = app
+    .clone()
+    .oneshot(patch_json_authed(
+      &format!("/api/v1/media/{fake_id}"),
+      r#"{"title":"new"}"#,
+      &viewer,
+    ))
+    .await
+    .unwrap();
+  assert_eq!(resp.status(), StatusCode::FORBIDDEN);
+}
+
+#[tokio::test]
+async fn delete_media_viewer_forbidden() {
+  let (app, _, _, viewer) = setup_app_with_auth().await;
+  let fake_id = uuid::Uuid::now_v7();
+  let resp = app
+    .clone()
+    .oneshot(delete_authed(&format!("/api/v1/media/{fake_id}"), &viewer))
+    .await
+    .unwrap();
+  assert_eq!(resp.status(), StatusCode::FORBIDDEN);
+}
+
+#[tokio::test]
+async fn update_sync_device_viewer_forbidden() {
+  let (app, _, _, viewer) = setup_app_with_auth().await;
+  let fake_id = uuid::Uuid::now_v7();
+  let resp = app
+    .clone()
+    .oneshot(put_json_authed(
+      &format!("/api/v1/sync/devices/{fake_id}"),
+      r#"{"name":"renamed"}"#,
+      &viewer,
+    ))
+    .await
+    .unwrap();
+  assert_eq!(resp.status(), StatusCode::FORBIDDEN);
+}