Phase 4: API Endpoint

- Add RandomNumberOutcomeResponse schema to schemas.py - Add GET /api/audit/random-jobs endpoint to routes/audit.py - Returns list of outcomes (newest first, no pagination) - Requires VIEW_AUDIT permission - Add tests: admin can access, regular user forbidden, unauthenticated 401
2025-12-21 22:53:54 +01:00 · 2025-12-21 22:53:54 +01:00 · b3ed81e8fd
commit b3ed81e8fd
parent 7beb213cf5
3 changed files with 71 additions and 1 deletions
--- a/backend/tests/test_permissions.py
+++ b/backend/tests/test_permissions.py
@ -272,6 +272,32 @@ class TestAuditAccess:
        response = await client.get("/api/audit/sum")
        assert response.status_code == 401

+    @pytest.mark.asyncio
+    async def test_admin_can_view_random_jobs(self, client_factory, admin_user):
+        """Admin should be able to view random job outcomes."""
+        async with client_factory.create(cookies=admin_user["cookies"]) as client:
+            response = await client.get("/api/audit/random-jobs")
+
+        assert response.status_code == 200
+        # Returns a list (no pagination)
+        assert isinstance(response.json(), list)
+
+    @pytest.mark.asyncio
+    async def test_regular_user_cannot_view_random_jobs(
+        self, client_factory, regular_user
+    ):
+        """Regular users should be forbidden from random-jobs endpoint."""
+        async with client_factory.create(cookies=regular_user["cookies"]) as client:
+            response = await client.get("/api/audit/random-jobs")
+
+        assert response.status_code == 403
+
+    @pytest.mark.asyncio
+    async def test_unauthenticated_cannot_view_random_jobs(self, client):
+        """Unauthenticated users should get 401."""
+        response = await client.get("/api/audit/random-jobs")
+        assert response.status_code == 401
+

 # =============================================================================
 # Offensive Security Tests - Bypass Attempts