test: team settings and propertied cannot be changeds by foreign team…

… owner
wireapp · Feb 1, 2024 · 62edf97 · 62edf97
1 parent aa508fa
commit 62edf97
Showing 1 changed file with 21 additions and 11 deletions.
diff --git a/integration/test/Test/TeamSettings.hs b/integration/test/Test/TeamSettings.hs
@@ -17,36 +17,46 @@
 -- You should have received a copy of the GNU Affero General Public License along
 -- with this program. If not, see <https://www.gnu.org/licenses/>.
 
-module Test.TeamSettings where
+module Test.TeamSettings ( testTeamSettingsUpdate, testTeamPropertiesUpdate ) where
 
 import API.Galley
 import SetupHelpers
 import Testlib.Prelude
 
 testTeamSettingsUpdate :: HasCallStack => App ()
 testTeamSettingsUpdate = do
-  (owner, tid, [mem]) <- createTeam OwnDomain 2
-  partner <- createTeamMemberWithRole owner tid "partner"
+  (ownerA, tidA, [mem]) <- createTeam OwnDomain 2
+  partner <- createTeamMemberWithRole ownerA tidA "partner"
 
-  bindResponse (putAppLockSettings tid owner def) $ \resp -> do
+  bindResponse (putAppLockSettings tidA ownerA def) $ \resp -> do
     resp.status `shouldMatchInt` 200
-  bindResponse (putAppLockSettings tid mem def) $ \resp -> do
+  bindResponse (putAppLockSettings tidA mem def) $ \resp -> do
     resp.status `shouldMatchInt` 403
     resp.json %. "label" `shouldMatch` "operation-denied"
-  bindResponse (putAppLockSettings tid partner def) $ \resp -> do
+  bindResponse (putAppLockSettings tidA partner def) $ \resp -> do
+    resp.status `shouldMatchInt` 403
+    resp.json %. "label" `shouldMatch` "operation-denied"
+
+  (ownerB, _tidB, []) <- createTeam OwnDomain 1
+  bindResponse (putAppLockSettings tidA ownerB def) $ \resp -> do
     resp.status `shouldMatchInt` 403
     resp.json %. "label" `shouldMatch` "operation-denied"
 
 testTeamPropertiesUpdate :: HasCallStack => App ()
 testTeamPropertiesUpdate = do
-  (owner, tid, [mem]) <- createTeam OwnDomain 2
-  partner <- createTeamMemberWithRole owner tid "partner"
+  (ownerA, tidA, [mem]) <- createTeam OwnDomain 2
+  partner <- createTeamMemberWithRole ownerA tidA "partner"
 
-  bindResponse (putTeamProperties tid owner def) $ \resp -> do
+  bindResponse (putTeamProperties tidA ownerA def) $ \resp -> do
     resp.status `shouldMatchInt` 200
-  bindResponse (putTeamProperties tid mem def) $ \resp -> do
+  bindResponse (putTeamProperties tidA mem def) $ \resp -> do
     resp.status `shouldMatchInt` 403
     resp.json %. "label" `shouldMatch` "operation-denied"
-  bindResponse (putTeamProperties tid partner def) $ \resp -> do
+  bindResponse (putTeamProperties tidA partner def) $ \resp -> do
+    resp.status `shouldMatchInt` 403
+    resp.json %. "label" `shouldMatch` "operation-denied"
+
+  (ownerB, _tidB, []) <- createTeam OwnDomain 1
+  bindResponse (putTeamProperties tidA ownerB def) $ \resp -> do
     resp.status `shouldMatchInt` 403
     resp.json %. "label" `shouldMatch` "operation-denied"