DELETE /api/v1/contacts/:id allows deletion when has_transaction_or_report=true but should be blocked with 4xx response #1828
Description
I have a spec in e2e-extended/contacts/contacts.delete.cy.ts currently being skipped (xit) because it forces an API DELETE request which returns with a 200, not the expected 4xx. I’ve included the spec below for context.
/**
- DELETE /api/v1/contacts/:id allows deletion when has_transaction_or_report=true
- but should be blocked with 403 or 409 response
- needs changes in backend to enforce properly
*/
xit('Linked: API delete is rejected (403/409)', () => {
const fetchLinkedContact = (attempt = 1) =>
waitForLinkedContactStatusFromApi(true, attempt, {
pageSize: 10,
logLabel: 'Linked contact not marked as linked yet',
errorLabel: 'Setup error',
});
return fetchLinkedContact().then((linkedContact) =>
ContactsDeleteHelpers.requestWithCookies(
'DELETE',
`http://localhost:8080/api/v1/contacts/${linkedContact.id}/`,
undefined,
{ failOnStatusCode: false },
).then((response) => {
let bodyPreview = '';
try {
const serialized = JSON.stringify(response.body ?? null);
bodyPreview = serialized ?? '';
} catch (error) {
bodyPreview = String(error);
}
Cypress.log({
name: 'deleteContact api',
message: `status ${response.status} body ${bodyPreview.slice(0, 500)}`,
});
expect(
response.status,
'DELETE should be blocked for linked contact (expected 403/409)',
).to.be.oneOf([403, 409]);
}),
);
});
});
QA Notes
null
DEV Notes
null
Design
null
See full ticket and images here: FOSEC-94