From 4ef0bd30d9c4051ee5343e24655d2cfc1df246e6 Mon Sep 17 00:00:00 2001
From: Jannat Patel <pateljannat2308@gmail.com>
Date: Thu, 22 Jan 2026 13:16:12 +0530
Subject: [PATCH] test: fixed authentication tests

---
 .github/workflows/ci.yml |  3 +++
 lms/test_auth.py         | 26 +++++++++-----------------
 2 files changed, 12 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 43412f55..d9ab25d6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -71,6 +71,9 @@ jobs:
     - name: setup requirements
       working-directory: /home/runner/frappe-bench
       run: bench setup requirements --dev
+    - name: block endpoints
+      working-directory: /home/runner/frappe-bench
+      run: bench --site frappe.local set-config block_endpoints 1
     - name: allow tests
       working-directory: /home/runner/frappe-bench
       run: bench --site frappe.local set-config allow_tests true
diff --git a/lms/test_auth.py b/lms/test_auth.py
index c5e03788..68c2ff21 100644
--- a/lms/test_auth.py
+++ b/lms/test_auth.py
@@ -1,6 +1,7 @@
 import frappe
 from frappe.tests.test_api import FrappeAPITestCase
 
+from lms.auth import authenticate
 from lms.lms.test_utils import TestUtils
 
 
@@ -11,25 +12,16 @@ class TestAuth(FrappeAPITestCase):
 		)
 
 	def test_allowed_path(self):
-		site_url = frappe.utils.get_site_url(frappe.local.site)
-		headers = {"Authorization": "Bearer set_test_example_user"}
-		url = site_url + "/api/method/lms.lms.utils.get_courses"
-		response = self.get(
-			url,
-			headers=headers,
-		)
-		self.assertNotEqual(response.json.get("exc_type"), "PermissionError")
+		frappe.form_dict.cmd = "ping"
+		frappe.session.user = self.normal_user.name
+		authenticate()
+		frappe.session.user = "Administrator"
 
 	def test_not_allowed_path(self):
-		site_url = frappe.utils.get_site_url(frappe.local.site)
-		headers = {"Authorization": "Bearer set_test_example_user"}
-		url = site_url + "/api/method/frappe.auth.get_logged_user"
-		response = self.get(
-			url,
-			headers=headers,
-		)
-		print(response.json)
-		self.assertEqual(response.json.get("exc_type"), "PermissionError")
+		frappe.form_dict.cmd = "frappe.auth.get_logged_user"
+		frappe.session.user = self.normal_user.name
+		self.assertRaises(frappe.PermissionError, authenticate)
+		frappe.session.user = "Administrator"
 
 	def tearDown(self):
 		frappe.delete_doc("User", self.normal_user.name)