fix: persist account ownership for script templates and generations

2026-04-09 17:18:38 +00:00
parent 478205c208
commit 8bcf08ae06
3 changed files with 23 additions and 5 deletions
--- a/backend/app/api/endpoints/scripts.py
+++ b/backend/app/api/endpoints/scripts.py
@@ -197,6 +197,7 @@ async def create_template(
    template = ScriptTemplate(
        category_id=data.category_id,
        team_id=current_user.team_id,
+        account_id=current_user.account_id,
        created_by=current_user.id,
        name=data.name,
        slug=slug,
@@ -364,6 +365,7 @@ async def generate_script(
    generation = ScriptGeneration(
        template_id=template.id,
        user_id=current_user.id,
+        account_id=current_user.account_id,
        team_id=current_user.team_id,
        session_id=data.session_id,
        ai_session_id=data.ai_session_id,
--- a/backend/tests/test_script_templates.py
+++ b/backend/tests/test_script_templates.py
@@ -1,4 +1,6 @@
 """Integration tests for Script Template Editor permissions and share endpoint."""
+from uuid import UUID as PyUUID
+
 import pytest
 from httpx import AsyncClient
 from sqlalchemy import select
@@ -65,6 +67,9 @@ class TestScriptTemplatePermissions:
        data = resp.json()
        assert data["name"] == "Test Template"
        assert data["created_by"] is not None
+        result = await test_db.execute(select(ScriptTemplate).where(ScriptTemplate.id == PyUUID(data["id"])))
+        template = result.scalar_one()
+        assert template.account_id is not None

    @pytest.mark.asyncio
    async def test_engineer_can_edit_own_template(self, client, auth_headers, test_db):
--- a/backend/tests/test_scripts.py
+++ b/backend/tests/test_scripts.py
@@ -6,14 +6,18 @@ from datetime import datetime, timezone
 import pytest
 import sqlalchemy as sa

+from app.models.script_template import ScriptGeneration
+from app.models.user import User

 # ── Fixtures ──────────────────────────────────────────────────────────────

@pytest.fixture
-async def seed_script_data(test_db):
+async def seed_script_data(test_db, test_user):
    """Seed script categories and templates into the test database."""
    now = datetime.now(timezone.utc)
    cat_id = uuid.UUID("00000000-0000-0000-0000-000000000001")
+    user_result = await test_db.execute(sa.select(User).where(User.email == test_user["email"]))
+    user = user_result.scalar_one()

    # Insert category
    await test_db.execute(
@@ -142,20 +146,20 @@ async def seed_script_data(test_db):
        await test_db.execute(
            sa.text("""
                INSERT INTO script_templates (
-                    id, category_id, name, slug, description,
+                    id, category_id, account_id, name, slug, description,
                    script_body, parameters_schema, default_values, validation_rules,
                    tags, complexity, estimated_runtime, requires_elevation,
                    requires_modules, version, is_verified, is_active, usage_count,
                    created_at, updated_at
                ) VALUES (
-                    :id, :category_id, :name, :slug, :description,
+                    :id, :category_id, :account_id, :name, :slug, :description,
                    :script_body, CAST(:parameters_schema AS jsonb), '{}'::jsonb, '{}'::jsonb,
                    CAST(:tags AS jsonb), :complexity, :estimated_runtime, :requires_elevation,
                    '[]'::jsonb, 1, true, true, 0,
                    :now, :now
                )
            """),
-            {**tmpl, "category_id": cat_id, "now": now},
+            {**tmpl, "category_id": cat_id, "account_id": user.account_id, "now": now},
        )

    await test_db.commit()
@@ -245,7 +249,7 @@ async def test_get_template_detail_not_found(client, auth_headers):
 # ── Generate ──────────────────────────────────────────────────────────────

@pytest.mark.asyncio
-async def test_generate_script_success(client, auth_headers, seed_script_data):
+async def test_generate_script_success(client, auth_headers, seed_script_data, test_db, test_user):
    list_resp = await client.get(
        "/api/v1/scripts/templates?search=unlock",
        headers=auth_headers,
@@ -265,6 +269,13 @@ async def test_generate_script_success(client, auth_headers, seed_script_data):
    assert "script" in data
    assert "jsmith" in data["script"]
    assert "id" in data
+    generation_result = await test_db.execute(
+        sa.select(ScriptGeneration).where(ScriptGeneration.id == uuid.UUID(data["id"]))
+    )
+    generation = generation_result.scalar_one()
+    user_result = await test_db.execute(sa.select(User).where(User.email == test_user["email"]))
+    user = user_result.scalar_one()
+    assert generation.account_id == user.account_id


@pytest.mark.asyncio