"""Tests for admin endpoints."""


class TestAdminAccess:
    def test_admin_requires_auth(self, client):
        """GET /admin requires authentication."""
        client.cookies.clear()
        response = client.get("/admin", follow_redirects=False)
        assert response.status_code == 302

    def test_admin_requires_admin_role(self, auth_client):
        """GET /admin returns 403 for non-admin users."""
        response = auth_client.get("/admin")
        # tester user has role='user', should get 403
        assert response.status_code == 403 or "detail" in response.json()

    def test_admin_users_requires_admin(self, auth_client):
        """GET /admin/users returns 403 for non-admin users."""
        response = auth_client.get("/admin/users")
        assert response.status_code == 403

    def test_admin_audit_requires_admin(self, auth_client):
        """GET /admin/audit returns 403 for non-admin users."""
        response = auth_client.get("/admin/audit")
        assert response.status_code == 403

    def test_admin_ai_usage_requires_admin(self, auth_client):
        """GET /admin/ai-usage returns 403 for non-admin users."""
        response = auth_client.get("/admin/ai-usage")
        assert response.status_code == 403