feat(reports): refine exports and restore project access

apps/projects/tests/test_views.py

@@ -1,7 +1,7 @@
 from rest_framework.test import APITestCase
 
 from apps.clients.models import Client
-from apps.projects.models import Project
+from apps.projects.models import Project, ProjectAccess
 from apps.users.models import User
 from apps.workspaces.models import Workspace, WorkspaceMembership
 
@@ -34,16 +34,19 @@ class ProjectViewTests(APITestCase):
             client=cls.first_client,
             name="Alpha",
         )
-        Project.objects.create(
+        cls.second_project = Project.objects.create(
             workspace=cls.workspace,
             client=cls.second_client,
             name="Beta",
         )
-        Project.objects.create(
+        cls.third_project = Project.objects.create(
             workspace=cls.workspace,
             client=cls.third_client,
             name="Gamma",
         )
+        cls.first_project = Project.objects.get(name="Alpha")
+        ProjectAccess.objects.create(project=cls.first_project, user=cls.member)
+        ProjectAccess.objects.create(project=cls.second_project, user=cls.member)
 
     def test_project_list_supports_multi_client_filter(self):
         self.client.force_authenticate(user=self.member)
@@ -68,3 +71,46 @@ class ProjectViewTests(APITestCase):
             result_ids,
             {str(self.first_client.id), str(self.second_client.id)},
         )
+
+    def test_project_access_list_and_mutations_require_explicit_member_access(self):
+        self.client.force_authenticate(user=self.owner)
+
+        access_response = self.client.get(
+            "/api/projects/access/",
+            {"workspace": str(self.workspace.id), "user": str(self.member.id)},
+        )
+
+        self.assertEqual(access_response.status_code, 200)
+        items = access_response.data["items"]
+        gamma_item = next(item for item in items if item["id"] == str(self.third_project.id))
+        self.assertFalse(gamma_item["has_access"])
+
+        grant_response = self.client.post(
+            "/api/projects/access/grant/",
+            {
+                "workspace": str(self.workspace.id),
+                "user": str(self.member.id),
+                "project_ids": [str(self.third_project.id)],
+            },
+            format="json",
+        )
+        self.assertEqual(grant_response.status_code, 200)
+
+        access_response = self.client.get(
+            "/api/projects/access/",
+            {"workspace": str(self.workspace.id), "user": str(self.member.id)},
+        )
+        gamma_item = next(item for item in access_response.data["items"] if item["id"] == str(self.third_project.id))
+        self.assertTrue(gamma_item["has_access"])
+
+        revoke_response = self.client.post(
+            "/api/projects/access/revoke/",
+            {
+                "workspace": str(self.workspace.id),
+                "user": str(self.member.id),
+                "project_ids": [str(self.first_project.id)],
+            },
+            format="json",
+        )
+        self.assertEqual(revoke_response.status_code, 200)
+        self.assertFalse(ProjectAccess.objects.filter(project=self.first_project, user=self.member).exists())