From 3e98d962aadb78b1096df80909ee7df9d6d3640f Mon Sep 17 00:00:00 2001
From: Jannat Patel <pateljannat2308@gmail.com>
Date: Mon, 19 Jan 2026 15:06:44 +0530
Subject: [PATCH] test: access to endpoints

---
 lms/auth.py      |  5 ++---
 lms/test_auth.py | 36 ++++++++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+), 3 deletions(-)
 create mode 100644 lms/test_auth.py

diff --git a/lms/auth.py b/lms/auth.py
index e465c71d..3e756fad 100644
--- a/lms/auth.py
+++ b/lms/auth.py
@@ -42,14 +42,13 @@ def authenticate():
 	else:
 		path = frappe.request.path
 
-	user_type = frappe.get_cached_value("User", frappe.session.user, "user_type")
-
+	user_type = frappe.db.get_value("User", frappe.session.user, "user_type")
 	if user_type == "System User":
 		return
 
 	if not path.startswith("/api/"):
 		return
-
+	print("path", path)
 	if path.startswith("/lms") or path.startswith("/api/method/lms."):
 		return
 
diff --git a/lms/test_auth.py b/lms/test_auth.py
new file mode 100644
index 00000000..42569cbd
--- /dev/null
+++ b/lms/test_auth.py
@@ -0,0 +1,36 @@
+import frappe
+from frappe.tests import UnitTestCase
+from frappe.tests.test_api import FrappeAPITestCase
+
+from lms.auth import authenticate
+from lms.lms.test_utils import TestUtils
+
+
+class TestAuth(FrappeAPITestCase):
+	def setUp(self):
+		self.normal_user = TestUtils.create_user(
+			self, "normal-user@example.com", "Normal", "User", ["LMS Student"]
+		)
+
+	def test_allowed_path(self):
+		site_url = frappe.utils.get_site_url(frappe.local.site)
+		headers = {"Authorization": "Bearer set_test_example_user"}
+		url = site_url + "/api/method/lms.lms.utils.get_courses"
+		response = self.get(
+			url,
+			headers=headers,
+		)
+		self.assertNotEqual(response.json.get("exc_type"), "PermissionError")
+
+	def test_not_allowed_path(self):
+		site_url = frappe.utils.get_site_url(frappe.local.site)
+		headers = {"Authorization": "Bearer set_test_example_user"}
+		url = site_url + "/api/method/frappe.auth.get_logged_user"
+		response = self.get(
+			url,
+			headers=headers,
+		)
+		self.assertEqual(response.json.get("exc_type"), "PermissionError")
+
+	def tearDown(self):
+		frappe.delete_doc("User", self.normal_user.name)