work-order-hardening

tests/test_production_flows.py

@@ -50,6 +50,19 @@ async def test_employee_invite_activation_revoked_and_expired(
     dashboard = await client.get(f"/api/sto/dashboard?service_center_id={center['id']}", headers=other_auth_headers)
     assert dashboard.status_code == 200
 
+    other_center = await create_verified_center(
+        client,
+        auth_headers,
+        admin_auth_headers,
+        internal_headers,
+        "Other Tenant Service",
+    )
+    cross_tenant_dashboard = await client.get(
+        f"/api/sto/dashboard?service_center_id={other_center['id']}",
+        headers=other_auth_headers,
+    )
+    assert cross_tenant_dashboard.status_code == 403
+
     revoked_invite = (
         await client.post(
             f"/api/service-centers/{center['id']}/employees/invite",
@@ -193,6 +206,22 @@ async def test_work_order_completion_creates_vehicle_records_and_updates_costs(
     )
     assert correction.status_code == 201
     assert correction.json()["created_version"] == completed.json()["version"]
+    corrections = await client.get(f"/api/work-orders/{work_order['id']}/corrections", headers=other_auth_headers)
+    assert corrections.status_code == 200
+    assert corrections.json()[0]["id"] == correction.json()["id"]
+    approved_correction = await client.post(
+        f"/api/work-orders/corrections/{correction.json()['id']}/approve",
+        headers=other_auth_headers,
+        json={"comment": "Correction accepted"},
+    )
+    assert approved_correction.status_code == 200
+    assert approved_correction.json()["status"] == "approved"
+    repeated_correction_decision = await client.post(
+        f"/api/work-orders/corrections/{correction.json()['id']}/reject",
+        headers=other_auth_headers,
+        json={"comment": "Too late"},
+    )
+    assert repeated_correction_decision.status_code == 409
 
     service_history = await client.get(
         f"/api/my/vehicles/{vehicle['id']}/service-history",