feat: enhance contact access control; add tests for member viewing and updating foreign contacts

tests/services/test_contact_service.py

@@ -182,6 +182,40 @@ async def test_member_owner_filter_forbidden(session: AsyncSession) -> None:
         )
 
 
+@pytest.mark.asyncio
+async def test_member_can_view_foreign_contacts(session: AsyncSession) -> None:
+    owner = _make_user("owner")
+    member = _make_user("member")
+    context, repo, contact = await _setup_contact(
+        session,
+        role=OrganizationRole.MEMBER,
+        owner=owner,
+        context_user=member,
+    )
+    service = ContactService(repository=repo)
+
+    contacts = await service.list_contacts(filters=ContactListFilters(), context=context)
+
+    assert contacts and contacts[0].id == contact.id
+    assert contacts[0].owner_id == owner.id != context.user_id
+
+
+@pytest.mark.asyncio
+async def test_member_cannot_update_foreign_contact(session: AsyncSession) -> None:
+    owner = _make_user("owner")
+    member = _make_user("member")
+    context, repo, contact = await _setup_contact(
+        session,
+        role=OrganizationRole.MEMBER,
+        owner=owner,
+        context_user=member,
+    )
+    service = ContactService(repository=repo)
+
+    with pytest.raises(ContactForbiddenError):
+        await service.update_contact(contact, ContactUpdateData(name="Blocked"), context=context)
+
+
 @pytest.mark.asyncio
 async def test_update_contact_allows_nullifying_fields(session: AsyncSession) -> None:
     context, repo, contact = await _setup_contact(session)