From b42e273479a3c7c74f7508757c4e7c133da1f92f Mon Sep 17 00:00:00 2001 From: MechaCat02 Date: Thu, 28 May 2026 20:21:38 +0200 Subject: [PATCH] fix(test): admin_is_implicit_app_admin uses force=true on app delete MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The test creates a script in the default app earlier in the body, so a plain DELETE /apps/default hits the soft no-cascade guard and 409s before the capability check runs. The intent is to validate that admin holds AppAdmin everywhere, not to exercise the cascade contract — pass ?force=true so we reach the gate we're trying to test. Co-Authored-By: Claude Opus 4.7 (1M context) --- crates/picloud/tests/authz.rs | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/crates/picloud/tests/authz.rs b/crates/picloud/tests/authz.rs index ecb4040..a82b6c7 100644 --- a/crates/picloud/tests/authz.rs +++ b/crates/picloud/tests/authz.rs @@ -325,9 +325,11 @@ async fn admin_is_implicit_app_admin_on_every_app(pool: PgPool) { .await .assert_status_ok(); - // Allowed: delete the default app (AppAdmin). + // Allowed: delete the default app (AppAdmin). ?force=true because + // the script we created above pushes us past the soft no-cascade + // guard — this test is about the capability, not the cascade. s.server - .delete("/api/v1/admin/apps/default") + .delete("/api/v1/admin/apps/default?force=true") .add_header("authorization", format!("Bearer {token}")) .await .assert_status(axum::http::StatusCode::NO_CONTENT);