fix(auth): distinguish empty model allowlists (#2938)

Co-authored-by: ghreprimand <203024559+ghreprimand@users.noreply.github.com>
2026-06-16 17:55:26 -04:00 · 2026-06-05 13:27:10 -05:00
parent fa9f62b44c
commit 545e692565
4 changed files with 85 additions and 15 deletions
@@ -1,5 +1,67 @@
 import pytest
-from routes.chat_helpers import clean_thinking_for_save, needs_auto_name
+from fastapi import HTTPException
+
+from routes.chat_helpers import _enforce_chat_privileges, clean_thinking_for_save, needs_auto_name
+
+
+class _AuthManager:
+    def __init__(self, privileges):
+        self._privileges = privileges
+
+    def get_privileges(self, username):
+        assert username == "alice"
+        return self._privileges
+
+
+class _Request:
+    def __init__(self, privileges):
+        self.app = type("App", (), {})()
+        self.app.state = type("State", (), {"auth_manager": _AuthManager(privileges)})()
+
+
+class _Session:
+    def __init__(self, model):
+        self.model = model
+
+
+def test_allowed_models_legacy_empty_list_remains_unrestricted(monkeypatch):
+    monkeypatch.setattr("routes.chat_helpers.get_current_user", lambda request: "alice")
+
+    _enforce_chat_privileges(
+        _Request({"allowed_models": [], "max_messages_per_day": 0}),
+        _Session("provider/model-a"),
+    )
+
+
+def test_allowed_models_explicit_empty_restricted_list_blocks_all_models(monkeypatch):
+    monkeypatch.setattr("routes.chat_helpers.get_current_user", lambda request: "alice")
+
+    with pytest.raises(HTTPException) as exc:
+        _enforce_chat_privileges(
+            _Request({
+                "allowed_models": [],
+                "allowed_models_restricted": True,
+                "max_messages_per_day": 0,
+            }),
+            _Session("provider/model-a"),
+        )
+
+    assert exc.value.status_code == 403
+    assert "provider/model-a" in exc.value.detail
+
+
+def test_allowed_models_nonempty_list_still_restricts_without_new_flag(monkeypatch):
+    monkeypatch.setattr("routes.chat_helpers.get_current_user", lambda request: "alice")
+
+    _enforce_chat_privileges(
+        _Request({"allowed_models": ["provider/model-a"], "max_messages_per_day": 0}),
+        _Session("provider/model-a"),
+    )
+    with pytest.raises(HTTPException):
+        _enforce_chat_privileges(
+            _Request({"allowed_models": ["provider/model-a"], "max_messages_per_day": 0}),
+            _Session("provider/model-b"),
+        )


@pytest.mark.parametrize("name,expected", [