🔥(cleanup) remove comment from permissions file

remote remaining commented line from previous PR's tests
2026-01-27 11:54:39 +01:00
parent be64abb22f
commit 6ae195b90c
2 changed files with 20 additions and 3 deletions
--- a/src/backend/mailbox_manager/api/permissions.py
+++ b/src/backend/mailbox_manager/api/permissions.py
@@ -26,7 +26,7 @@ class DomainPermission(IsAuthenticated):
            slug=view.kwargs.get("domain_slug", ""),
            accesses__user=request.user,
        )
-        # domain = models.MailDomain.objects.get(slug=view.kwargs.get("domain_slug", ""))
+
        abilities = domain.get_abilities(request.user)
        if request.method.lower() == "delete":
            return abilities.get("manage_accesses", False)
--- a/src/backend/mailbox_manager/tests/api/invitations/test_api_domain_invitations_delete.py
+++ b/src/backend/mailbox_manager/tests/api/invitations/test_api_domain_invitations_delete.py
@@ -1,5 +1,5 @@
 """
-Tests for MailDomainInvitations API endpoint in People's app mailbox_manager.
+Tests for MailDomainInvitation API endpoint in People's app mailbox_manager.
 Focus on "delete" action.
 """

@@ -7,7 +7,7 @@ import pytest
 from rest_framework import status
 from rest_framework.test import APIClient

-from mailbox_manager import factories
+from mailbox_manager import factories, models

 pytestmark = pytest.mark.django_db

@@ -24,6 +24,7 @@ def test_api_domain_invitations__delete__anonymous():
    assert response.json() == {
        "detail": "Authentication credentials were not provided."
    }
+    assert models.MailDomainInvitation.objects.count() == 1


 def test_api_domain_invitations__delete__no_access_not_found():
@@ -40,6 +41,21 @@ def test_api_domain_invitations__delete__no_access_not_found():
        f"/api/v1.0/mail-domains/{domain.slug}/invitations/{invitation.id}/",
    )
    assert response.status_code == status.HTTP_404_NOT_FOUND
+    assert models.MailDomainInvitation.objects.count() == 1
+
+
+def test_api_domain_invitations__delete__viewers_forbidden():
+    """Domain viewers should not be permitted to delete invitations."""
+    access = factories.MailDomainAccessFactory(role="viewer")
+    invitation = factories.MailDomainInvitationFactory(domain=access.domain)
+
+    client = APIClient()
+    client.force_login(access.user)
+    response = client.delete(
+        f"/api/v1.0/mail-domains/{access.domain.slug}/invitations/{invitation.id}/",
+    )
+    assert response.status_code == status.HTTP_403_FORBIDDEN
+    assert models.MailDomainInvitation.objects.count() == 1


@pytest.mark.parametrize(
@@ -57,3 +73,4 @@ def test_api_domain_invitations__delete_admins_ok(role):
        f"/api/v1.0/mail-domains/{access.domain.slug}/invitations/{invitation.id}/",
    )
    assert response.status_code == status.HTTP_204_NO_CONTENT
+    assert not models.MailDomainInvitation.objects.exists()