Improved: the generic ForbiddenError response now uses the new error format

chriscool · chriscool · commit f11028f1c5ea · 2025-09-14T23:22:42.000+02:00
diff --git a/app/errors.py b/app/errors.py
@@ -39,7 +39,6 @@ class BadRequestError(CustomError):
     error_code = "BAD_REQUEST"
     message = "The request is invalid."
 
-
 class ForbiddenError(CustomError):
     status_code = 403
     error_code = "FORBIDDEN"
diff --git a/app/tests/test_api.py b/app/tests/test_api.py
@@ -830,6 +830,23 @@ def test_update_election():
     )
     check_error_response(response, 403, "IMMUTABLE_IDS")
 
+def test_update_election_as_non_admin():
+    """
+    Tests that a non-admin user cannot update an election.
+    """
+    # Create a restricted election to get both an admin and a non-admin (ballot) token.
+    body = _random_election(5, 3)
+    body["restricted"] = True
+    body["num_voters"] = 1
+    response = client.post("/elections", json=body)
+    assert response.status_code == 200
+    election_data = response.json()
+    ballot_token = election_data["invites"][0] # This is a non-admin token
+
+    # Attempt to update the election using the ballot token.
+    update_payload = {"ref": election_data["ref"], "name": "New Name"}
+    response = client.put("/elections", json=update_payload, headers={"Authorization": f"Bearer {ballot_token}"})
+    check_error_response(response, 403, "FORBIDDEN")
 
 def test_close_election2():
     """
