feat: enhance contact access control; add tests for member viewing and updating foreign contacts

tests/api/v1/test_contacts.py

@@ -124,6 +124,115 @@ async def test_member_cannot_assign_foreign_owner(
     assert response.status_code == 403
 
 
+@pytest.mark.asyncio
+async def test_member_can_view_foreign_contacts(
+    session_factory: async_sessionmaker[AsyncSession], client: AsyncClient
+) -> None:
+    scenario = await prepare_scenario(session_factory)
+    token = make_token(scenario.user_id, scenario.user_email)
+
+    async with session_factory() as session:
+        membership = await session.scalar(
+            select(OrganizationMember).where(
+                OrganizationMember.organization_id == scenario.organization_id,
+                OrganizationMember.user_id == scenario.user_id,
+            )
+        )
+        assert membership is not None
+        membership.role = OrganizationRole.MEMBER
+
+        other_user = User(
+            email="viewer@example.com",
+            hashed_password="hashed",
+            name="Viewer",
+            is_active=True,
+        )
+        session.add(other_user)
+        await session.flush()
+
+        session.add(
+            OrganizationMember(
+                organization_id=scenario.organization_id,
+                user_id=other_user.id,
+                role=OrganizationRole.MANAGER,
+            )
+        )
+
+        session.add(
+            Contact(
+                organization_id=scenario.organization_id,
+                owner_id=other_user.id,
+                name="Foreign Owner",
+                email="foreign@example.com",
+                phone=None,
+            )
+        )
+        await session.commit()
+
+    response = await client.get(
+        "/api/v1/contacts/",
+        headers=auth_headers(token, scenario),
+    )
+
+    assert response.status_code == 200
+    names = {contact["name"] for contact in response.json()}
+    assert {"John Doe", "Foreign Owner"}.issubset(names)
+
+
+@pytest.mark.asyncio
+async def test_member_patch_foreign_contact_forbidden(
+    session_factory: async_sessionmaker[AsyncSession], client: AsyncClient
+) -> None:
+    scenario = await prepare_scenario(session_factory)
+    token = make_token(scenario.user_id, scenario.user_email)
+
+    async with session_factory() as session:
+        membership = await session.scalar(
+            select(OrganizationMember).where(
+                OrganizationMember.organization_id == scenario.organization_id,
+                OrganizationMember.user_id == scenario.user_id,
+            )
+        )
+        assert membership is not None
+        membership.role = OrganizationRole.MEMBER
+
+        other_user = User(
+            email="owner2@example.com",
+            hashed_password="hashed",
+            name="Owner2",
+            is_active=True,
+        )
+        session.add(other_user)
+        await session.flush()
+
+        session.add(
+            OrganizationMember(
+                organization_id=scenario.organization_id,
+                user_id=other_user.id,
+                role=OrganizationRole.MANAGER,
+            )
+        )
+
+        contact = Contact(
+            organization_id=scenario.organization_id,
+            owner_id=other_user.id,
+            name="Locked Contact",
+            email="locked@example.com",
+            phone=None,
+        )
+        session.add(contact)
+        await session.commit()
+        contact_id = contact.id
+
+    response = await client.patch(
+        f"/api/v1/contacts/{contact_id}",
+        json={"name": "Hacked"},
+        headers=auth_headers(token, scenario),
+    )
+
+    assert response.status_code == 403
+
+
 @pytest.mark.asyncio
 async def test_patch_contact_updates_fields(
     session_factory: async_sessionmaker[AsyncSession], client: AsyncClient