From 75deebbeb68c31d4c651aac33aecefca52cab499 Mon Sep 17 00:00:00 2001
From: ryan-mchugh <ryan.mchugh@caci.com>
Date: Thu, 9 Jan 2025 18:06:36 +0000
Subject: [PATCH] B-22056 - additional test and .envrc cleanup.

---
 .envrc                                   |  4 +-
 pkg/handlers/internalapi/uploads_test.go | 47 +++++++++++++++++++++++-
 2 files changed, 48 insertions(+), 3 deletions(-)

diff --git a/.envrc b/.envrc
index 64ef9f3c646..7eb37fa168f 100644
--- a/.envrc
+++ b/.envrc
@@ -229,7 +229,7 @@ export TZ="UTC"
 
 # AWS development access
 #
-# To use S3/SES for local builds, you'll need to uncomment the following.
+# To use S3/SES or SNS&SQS for local builds, you'll need to uncomment the following.
 # Do not commit the change:
 #
 #   export STORAGE_BACKEND=s3
@@ -238,7 +238,7 @@ export TZ="UTC"
 #
 # Instructions for using S3 storage backend here: https://dp3.atlassian.net/wiki/spaces/MT/pages/1470955567/How+to+test+storing+data+in+S3+locally
 # Instructions for using SES email backend here: https://dp3.atlassian.net/wiki/spaces/MT/pages/1467973894/How+to+test+sending+email+locally
-# Instructions for using SNS&SQS backend here: ...
+# Instructions for using SNS&SQS backend here: https://dp3.atlassian.net/wiki/spaces/MT/pages/2793242625/How+to+test+notifications+receiver+locally
 #
 # The default and equivalent to not being set is:
 #
diff --git a/pkg/handlers/internalapi/uploads_test.go b/pkg/handlers/internalapi/uploads_test.go
index 143dfa465eb..271495e2991 100644
--- a/pkg/handlers/internalapi/uploads_test.go
+++ b/pkg/handlers/internalapi/uploads_test.go
@@ -525,7 +525,52 @@ func (suite *HandlerSuite) TestGetUploadStatusHandlerFailure() {
 		suite.Error(err)
 	})
 
-	// TODO: ADD A FORBIDDEN TEST
+	suite.Run("Error when attempting access to another service member's upload", func() {
+		fakeS3 := storageTest.NewFakeS3Storage(true)
+		localReceiver := notifications.StubNotificationReceiver{}
+
+		otherServiceMember := factory.BuildServiceMember(suite.DB(), nil, nil)
+
+		orders := factory.BuildOrder(suite.DB(), nil, nil)
+		uploadUser1 := factory.BuildUserUpload(suite.DB(), []factory.Customization{
+			{
+				Model:    orders.UploadedOrders,
+				LinkOnly: true,
+			},
+			{
+				Model: models.Upload{
+					Filename:    "FileName",
+					Bytes:       int64(15),
+					ContentType: uploader.FileTypePDF,
+				},
+			},
+		}, nil)
+
+		file := suite.Fixture(FixturePDF)
+		_, err := fakeS3.Store(uploadUser1.Upload.StorageKey, file.Data, "somehash", nil)
+		suite.NoError(err)
+
+		params := uploadop.NewGetUploadStatusParams()
+		params.UploadID = strfmt.UUID(uploadUser1.Upload.ID.String())
+
+		req := &http.Request{}
+		req = suite.AuthenticateRequest(req, otherServiceMember)
+		params.HTTPRequest = req
+
+		handlerConfig := suite.HandlerConfig()
+		handlerConfig.SetFileStorer(fakeS3)
+		handlerConfig.SetNotificationReceiver(localReceiver)
+		uploadInformationFetcher := upload.NewUploadInformationFetcher()
+		handler := GetUploadStatusHandler{handlerConfig, uploadInformationFetcher}
+
+		response := handler.Handle(params)
+		_, ok := response.(*uploadop.GetUploadStatusForbidden)
+		suite.True(ok)
+
+		queriedUpload := models.Upload{}
+		err = suite.DB().Find(&queriedUpload, uploadUser1.Upload.ID)
+		suite.NoError(err)
+	})
 }
 
 func (suite *HandlerSuite) TestCreatePPMUploadsHandlerSuccess() {