From 462401d41aa85026380d6d3540c1d0b89dc26e44 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Simon=20K=C3=BChn?= <simon@kuehn.de>
Date: Fri, 1 May 2026 10:11:57 +0200
Subject: [PATCH] Add admin access control tests

- 401 for unauthenticated requests
- 403 for authenticated non-admin users
- 200 with full user list for admin (looks up existing ADMIN_EMAIL user,
  skips gracefully if not present in DB)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 tests/AppIntegrationTest.php | 47 ++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)

diff --git a/tests/AppIntegrationTest.php b/tests/AppIntegrationTest.php
index 2e57564..50719f3 100644
--- a/tests/AppIntegrationTest.php
+++ b/tests/AppIntegrationTest.php
@@ -776,6 +776,53 @@ class AppIntegrationTest extends WebTestCase
         $this->assertSame('Stück', $data['unit']);
     }
 
+    // ── Admin ─────────────────────────────────────────────────────────────────
+
+    public function testAdminUsersUnauthenticated(): void
+    {
+        $this->json($this->client, 'GET', '/api/admin/users');
+        $this->assertSame(401, $this->client->getResponse()->getStatusCode());
+    }
+
+    public function testAdminUsersNonAdminForbidden(): void
+    {
+        $user   = $this->createUser('adminblocked');
+        $client = $this->authClient($user);
+        $data   = $this->json($client, 'GET', '/api/admin/users');
+
+        $this->assertArrayHasKey('error', $data);
+        $this->assertSame(403, $client->getResponse()->getStatusCode());
+    }
+
+    public function testAdminUsersReturnsAllUsers(): void
+    {
+        $adminEmail = $_ENV['ADMIN_EMAIL'] ?? '';
+        if (!$adminEmail) {
+            $this->markTestSkipped('ADMIN_EMAIL not configured');
+        }
+
+        $admin = $this->em->getRepository(User::class)->findOneBy(['email' => $adminEmail]);
+        if (!$admin) {
+            $this->markTestSkipped("Admin user $adminEmail not found in DB");
+        }
+
+        $this->createUser('adminlistother');
+
+        $client = $this->authClient($admin);
+        $data   = $this->json($client, 'GET', '/api/admin/users');
+
+        $this->assertSame(200, $client->getResponse()->getStatusCode());
+        $this->assertIsArray($data);
+        $emails = array_column($data, 'email');
+        $this->assertContains($adminEmail, $emails);
+        $this->assertContains('adminlistother@test.dudi', $emails);
+        foreach ($data as $row) {
+            $this->assertArrayHasKey('email', $row);
+            $this->assertArrayHasKey('username', $row);
+            $this->assertArrayHasKey('registered', $row);
+        }
+    }
+
     public function testGoalDeleteReturnsOkForNonExistentGoal(): void
     {
         $user   = $this->createUser('goaldelmissing');