"""M6: Admin-Rollen/Rechte-API — Zugriffskontrolle."""
import pytest
from fastapi import HTTPException

from routers.admin_rights import get_capability_matrix, _require_superadmin


def test_require_superadmin_denies_admin():
    with pytest.raises(HTTPException) as exc:
        _require_superadmin({"role": "admin"})
    assert exc.value.status_code == 403


def test_require_superadmin_allows():
    _require_superadmin({"role": "superadmin"})


def test_get_capability_matrix_requires_superadmin():
    with pytest.raises(HTTPException) as exc:
        get_capability_matrix(session={"role": "trainer"})
    assert exc.value.status_code == 403