test(team): enhance team member removal tests with access control checks

AnujChhikara · AnujChhikara · commit c8c1c8e72175 · 2025-09-07T01:19:31.000+05:30
diff --git a/todo/tests/unit/views/test_team.py b/todo/tests/unit/views/test_team.py
@@ -143,8 +143,10 @@ def setUp(self):
         self.user_id = "507f1f77bcf86cd799439011"
         self.mock_user_id = "507f1f77bcf86cd799439013"
 
+    @patch("todo.utils.team_access.has_team_access")
     @patch("todo.views.team.TeamService.remove_member_from_team")
-    def test_remove_member_success(self, mock_remove):
+    def test_remove_member_success(self, mock_remove, mock_has_team_access):
+        mock_has_team_access.return_value = True
         mock_remove.return_value = True
 
         mock_request = MagicMock()
@@ -157,10 +159,12 @@ def test_remove_member_success(self, mock_remove):
             user_id=self.user_id, team_id=self.team_id, removed_by_user_id=self.mock_user_id
         )
 
+    @patch("todo.utils.team_access.has_team_access")
     @patch("todo.views.team.TeamService.remove_member_from_team")
-    def test_remove_member_not_found(self, mock_remove):
+    def test_remove_member_not_found(self, mock_remove, mock_has_team_access):
         from todo.services.team_service import TeamService
 
+        mock_has_team_access.return_value = True
         mock_remove.side_effect = TeamService.TeamOrUserNotFound()
 
         mock_request = MagicMock()
@@ -171,8 +175,10 @@ def test_remove_member_not_found(self, mock_remove):
         self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
         self.assertIn("not found", response.data["detail"])
 
+    @patch("todo.utils.team_access.has_team_access")
     @patch("todo.views.team.TeamService.remove_member_from_team")
-    def test_remove_member_generic_error(self, mock_remove):
+    def test_remove_member_generic_error(self, mock_remove, mock_has_team_access):
+        mock_has_team_access.return_value = True
         mock_remove.side_effect = Exception("Something went wrong")
 
         mock_request = MagicMock()
diff --git a/todo/utils/team_access.py b/todo/utils/team_access.py
@@ -30,7 +30,13 @@ def has_team_access(user_id: str, team_id: str) -> bool:
 
 def team_access_required(func):
     def wrapper(self, request, *args, **kwargs):
-        if not has_team_access(request.user_id, kwargs["team_id"]):
+        team_id = kwargs.get("team_id")
+        if team_id is None and len(args) > 0:
+            team_id = args[0]
+        if not team_id:
+            return Response({"detail": "Team ID is required."}, status=status.HTTP_400_BAD_REQUEST)
+
+        if not has_team_access(request.user_id, team_id):
             return Response({"detail": "You are not authorized to view this team."}, status=status.HTTP_403_FORBIDDEN)
         return func(self, request, *args, **kwargs)
 
