test/test_cms_huser.py

"""CMS 医院管理员 - 人员管理（用户范围）测试：CMS-HUSER-1~3。

医院管理员只能管理本院的医生/学生；机构强制本院、角色受限。
"""
from rest_framework.test import APIClient

from apps.user.models import User
from .conftest import CacheTestCase, create_test_user, get_auth_client, ensure_institution

CMS_USER_URL = '/api/cms/users/'


def u_detail(pk):
    return f'/api/cms/users/{pk}/'


class HospitalAdminUserScopeTest(CacheTestCase):
    def setUp(self):
        super().setUp()
        self.inst = ensure_institution(name='本院', code='HU-A')
        self.other = ensure_institution(name='他院', code='HU-B')
        self.admin = create_test_user(phone='13931000001', role_type='hospital_admin',
                                      institution=self.inst)
        self.client = get_auth_client(self.admin)
        # 本院医生、学生；他院学生
        self.doc = create_test_user(phone='13931000002', role_type='doctor', institution=self.inst)
        self.stu = create_test_user(phone='13931000003', role_type='student', institution=self.inst)
        self.other_stu = create_test_user(phone='13931000004', role_type='student', institution=self.other)

    def test_list_scoped_to_own_doctor_student(self):
        resp = self.client.get(CMS_USER_URL)
        self.assertEqual(resp.status_code, 200, resp.content)
        ids = {u['id'] for u in resp.json()['results']}
        self.assertIn(self.doc.id, ids)
        self.assertIn(self.stu.id, ids)
        self.assertNotIn(self.other_stu.id, ids)   # 他院不可见
        self.assertNotIn(self.admin.id, ids)        # 医院管理员自己(role=hospital_admin)不在 doctor/student 范围

    def test_create_forces_own_institution(self):
        # 传了他院机构，仍落本院
        resp = self.client.post(CMS_USER_URL, {
            'phone': '13931000010', 'real_name': '新医生', 'role_type': 'doctor',
            'institution': self.other.id,
        })
        self.assertEqual(resp.status_code, 201, resp.content)
        u = User.objects.get(phone='13931000010')
        self.assertEqual(u.institution_id, self.inst.id)   # 强制本院

    def test_create_content_admin_allowed(self):
        # 医院管理员可给本院授予内容管理员权限
        resp = self.client.post(CMS_USER_URL, {
            'phone': '13931000011', 'real_name': '内容员', 'role_type': 'content_admin',
        })
        self.assertEqual(resp.status_code, 201, resp.content)
        u = User.objects.get(phone='13931000011')
        self.assertEqual(u.role_type, 'content_admin')
        self.assertEqual(u.institution_id, self.inst.id)   # 强制本院

    def test_create_role_restricted(self):
        # 医院管理员不能建 hospital_admin / super_admin
        for role in ('hospital_admin', 'super_admin'):
            resp = self.client.post(CMS_USER_URL, {
                'phone': '13931000012', 'real_name': 'x', 'role_type': role,
            })
            self.assertEqual(resp.status_code, 403, f'{role}: {resp.content}')
            self.assertEqual(resp.json()['code'], 'CMS_ROLE_NOT_ALLOWED')

    def test_cannot_touch_other_institution_user(self):
        # 他院学生不在 queryset → 404
        self.assertEqual(self.client.get(u_detail(self.other_stu.id)).status_code, 404)
        self.assertEqual(self.client.delete(u_detail(self.other_stu.id)).status_code, 404)

    def test_soft_delete_own_student(self):
        resp = self.client.delete(u_detail(self.stu.id))
        self.assertEqual(resp.status_code, 204, resp.content)
        self.assertFalse(User.objects.filter(id=self.stu.id).exists())

    def test_reset_password_own(self):
        resp = self.client.post(f'/api/cms/users/{self.doc.id}/reset-password/', {})
        self.assertEqual(resp.status_code, 200, resp.content)
        self.assertEqual(resp.json()['password'], 'Pass13931000002')

    def test_filter_by_role(self):
        # 医生管理页 ?role_type=doctor
        resp = self.client.get(CMS_USER_URL, {'role_type': 'doctor'})
        self.assertEqual(resp.status_code, 200)
        roles = {u['role_type'] for u in resp.json()['results']}
        self.assertEqual(roles, {'doctor'})
feat: cms users institution department manager 2026-06-11 10:37:29 +08:00			`"""CMS 医院管理员 - 人员管理（用户范围）测试：CMS-HUSER-1~3。`

			`医院管理员只能管理本院的医生/学生；机构强制本院、角色受限。`
			`"""`
			`from rest_framework.test import APIClient`

			`from apps.user.models import User`
			`from .conftest import CacheTestCase, create_test_user, get_auth_client, ensure_institution`

			`CMS_USER_URL = '/api/cms/users/'`


			`def u_detail(pk):`
			`return f'/api/cms/users/{pk}/'`


			`class HospitalAdminUserScopeTest(CacheTestCase):`
			`def setUp(self):`
			`super().setUp()`
			`self.inst = ensure_institution(name='本院', code='HU-A')`
			`self.other = ensure_institution(name='他院', code='HU-B')`
			`self.admin = create_test_user(phone='13931000001', role_type='hospital_admin',`
			`institution=self.inst)`
			`self.client = get_auth_client(self.admin)`
			`# 本院医生、学生；他院学生`
			`self.doc = create_test_user(phone='13931000002', role_type='doctor', institution=self.inst)`
			`self.stu = create_test_user(phone='13931000003', role_type='student', institution=self.inst)`
			`self.other_stu = create_test_user(phone='13931000004', role_type='student', institution=self.other)`

			`def test_list_scoped_to_own_doctor_student(self):`
			`resp = self.client.get(CMS_USER_URL)`
			`self.assertEqual(resp.status_code, 200, resp.content)`
			`ids = {u['id'] for u in resp.json()['results']}`
			`self.assertIn(self.doc.id, ids)`
			`self.assertIn(self.stu.id, ids)`
			`self.assertNotIn(self.other_stu.id, ids) # 他院不可见`
			`self.assertNotIn(self.admin.id, ids) # 医院管理员自己(role=hospital_admin)不在 doctor/student 范围`

			`def test_create_forces_own_institution(self):`
			`# 传了他院机构，仍落本院`
			`resp = self.client.post(CMS_USER_URL, {`
			`'phone': '13931000010', 'real_name': '新医生', 'role_type': 'doctor',`
			`'institution': self.other.id,`
			`})`
			`self.assertEqual(resp.status_code, 201, resp.content)`
			`u = User.objects.get(phone='13931000010')`
			`self.assertEqual(u.institution_id, self.inst.id) # 强制本院`

			`def test_create_content_admin_allowed(self):`
			`# 医院管理员可给本院授予内容管理员权限`
			`resp = self.client.post(CMS_USER_URL, {`
			`'phone': '13931000011', 'real_name': '内容员', 'role_type': 'content_admin',`
			`})`
			`self.assertEqual(resp.status_code, 201, resp.content)`
			`u = User.objects.get(phone='13931000011')`
			`self.assertEqual(u.role_type, 'content_admin')`
			`self.assertEqual(u.institution_id, self.inst.id) # 强制本院`

			`def test_create_role_restricted(self):`
			`# 医院管理员不能建 hospital_admin / super_admin`
			`for role in ('hospital_admin', 'super_admin'):`
			`resp = self.client.post(CMS_USER_URL, {`
			`'phone': '13931000012', 'real_name': 'x', 'role_type': role,`
			`})`
			`self.assertEqual(resp.status_code, 403, f'{role}: {resp.content}')`
			`self.assertEqual(resp.json()['code'], 'CMS_ROLE_NOT_ALLOWED')`

			`def test_cannot_touch_other_institution_user(self):`
			`# 他院学生不在 queryset → 404`
			`self.assertEqual(self.client.get(u_detail(self.other_stu.id)).status_code, 404)`
			`self.assertEqual(self.client.delete(u_detail(self.other_stu.id)).status_code, 404)`

			`def test_soft_delete_own_student(self):`
			`resp = self.client.delete(u_detail(self.stu.id))`
			`self.assertEqual(resp.status_code, 204, resp.content)`
			`self.assertFalse(User.objects.filter(id=self.stu.id).exists())`

			`def test_reset_password_own(self):`
			`resp = self.client.post(f'/api/cms/users/{self.doc.id}/reset-password/', {})`
			`self.assertEqual(resp.status_code, 200, resp.content)`
			`self.assertEqual(resp.json()['password'], 'Pass13931000002')`

			`def test_filter_by_role(self):`
			`# 医生管理页 ?role_type=doctor`
			`resp = self.client.get(CMS_USER_URL, {'role_type': 'doctor'})`
			`self.assertEqual(resp.status_code, 200)`
			`roles = {u['role_type'] for u in resp.json()['results']}`
			`self.assertEqual(roles, {'doctor'})`