OpenUpSA · desafinadude · Dec 14, 2025 · Dec 14, 2025
diff --git a/test/test_search.py b/test/test_search.py
@@ -697,9 +697,6 @@ def test_search_access_control_private_project_all_roles(
     client, role_fixture, role_name, request, private_project_with_submission
 ):
     """Test that all project roles (admin, contributor, viewer) can search private project data"""
-    # skip if role name not org-admin: fix later
-    if role_name != "org-admin":
-        pytest.skip("Skipping non org-admin roles for now")
 
     # Get the token from the fixture
     token = request.getfixturevalue(role_fixture)

diff --git a/test/test_submissions_rbac.py b/test/test_submissions_rbac.py
@@ -356,9 +356,9 @@ def test_contributor_can_delete_own_draft(
         assert cursor.fetchone() is None
 
 
-@pytest.mark.skip(
-    reason="Application doesn't check submission ownership for delete operations - any contributor can delete any submission in their project"
-)
+# @pytest.mark.skip(
+#     reason="Application doesn't check submission ownership for delete operations - any contributor can delete any submission in their project"
+# )
 @pytest.mark.rbac
 @pytest.mark.submission
 def test_contributor_cannot_delete_other_draft(
@@ -668,9 +668,9 @@ def test_contributor_can_unpublish_own_submission(
             cursor.execute("DELETE FROM submissions WHERE id = %s", (draft["id"],))
 
 
-@pytest.mark.skip(
-    reason="Application doesn't check submission ownership for unpublish operations - any contributor can unpublish any submission in their project"
-)
+# @pytest.mark.skip(
+#     reason="Application doesn't check submission ownership for unpublish operations - any contributor can unpublish any submission in their project"
+# )
 @pytest.mark.rbac
 @pytest.mark.submission
 def test_contributor_cannot_unpublish_other_submission(
@@ -846,25 +846,26 @@ def test_viewer_cannot_unpublish_submission(
 # ============================================================================
 
 
-@pytest.mark.skip(reason="Semi-private projects not supported by database schema")
+# @pytest.mark.skip(reason="Semi-private projects not supported by database schema")
 @pytest.mark.rbac
 @pytest.mark.submission
 def test_semi_private_drafts_same_as_private_project(
     client,
     system_admin_token,
     semi_private_project,
     project_contributor,
-    project_contributor_token,
-    external_user_token,
+    external_user,
 ):
     """Drafts on semi-private projects behave like private projects"""
-    add_project_member(
+    # Get fresh token after adding user to project
+    project_contributor_token = add_project_member_and_get_token(
         client,
         system_admin_token,
         semi_private_project["id"],
-        project_contributor["user_id"],
+        project_contributor,
         "project-contributor",
     )
+    external_user_token = get_fresh_token(external_user["email"])
 
     # Create draft
     draft = create_draft_submission(
@@ -889,31 +890,30 @@ def test_semi_private_drafts_same_as_private_project(
             cursor.execute("DELETE FROM submissions WHERE id = %s", (draft["id"],))
 
 
-@pytest.mark.skip(reason="Semi-private projects not supported by database schema")
+# @pytest.mark.skip(reason="Semi-private projects not supported by database schema")
 @pytest.mark.rbac
 @pytest.mark.submission
 def test_semi_private_internal_access_same_as_private(
     client,
     system_admin_token,
     semi_private_project,
     project_contributor,
-    project_contributor_token,
     project_viewer,
-    project_viewer_token,
 ):
     """Internal access rules are same as private projects"""
-    add_project_member(
+    # Get fresh tokens after adding users to project
+    project_contributor_token = add_project_member_and_get_token(
         client,
         system_admin_token,
         semi_private_project["id"],
-        project_contributor["user_id"],
+        project_contributor,
         "project-contributor",
     )
-    add_project_member(
+    project_viewer_token = add_project_member_and_get_token(
         client,
         system_admin_token,
         semi_private_project["id"],
-        project_viewer["user_id"],
+        project_viewer,
         "project-viewer",
     )
 
@@ -944,7 +944,7 @@ def test_semi_private_internal_access_same_as_private(
             cursor.execute("DELETE FROM submissions WHERE id = %s", (draft["id"],))
 
 
-@pytest.mark.skip(reason="Semi-private projects not supported by database schema")
+# @pytest.mark.skip(reason="Semi-private projects not supported by database schema")
 @pytest.mark.rbac
 @pytest.mark.submission
 def test_semi_private_external_cannot_list_submissions(
@@ -1009,9 +1009,9 @@ def test_public_project_drafts_remain_private(
             cursor.execute("DELETE FROM submissions WHERE id = %s", (draft["id"],))
 
 
-@pytest.mark.skip(
-    reason="Application doesn't grant implicit viewer access for public projects - requires explicit project membership"
-)
+# @pytest.mark.skip(
+#     reason="Application doesn't grant implicit viewer access for public projects - requires explicit project membership"
+# )
 @pytest.mark.rbac
 @pytest.mark.submission
 def test_public_project_external_user_has_implicit_viewer_role(
@@ -1122,9 +1122,9 @@ def test_public_project_external_user_cannot_manage_submissions(
             cursor.execute("DELETE FROM submissions WHERE id = %s", (draft["id"],))
 
 
-@pytest.mark.skip(
-    reason="Application doesn't grant implicit viewer access for public projects - requires explicit project membership"
-)
+# @pytest.mark.skip(
+#     reason="Application doesn't grant implicit viewer access for public projects - requires explicit project membership"
+# )
 @pytest.mark.rbac
 @pytest.mark.submission
 def test_public_project_external_user_can_view_published_data(