finishing QDRO section

tests/test_admin_api.py

@@ -20,6 +20,7 @@ class _User:
         self.is_active = True
         self.first_name = "Test"
         self.last_name = "User"
+        self.is_approver = is_admin
 
 
 @pytest.fixture()
@@ -168,3 +169,79 @@ def test_printer_setup_crud(client_admin: TestClient):
     assert "TestPrinter" not in names
 
 
+def test_qdro_notification_routes_admin_crud(client_admin: TestClient):
+    # Initially list should succeed
+    resp = client_admin.get("/api/admin/qdro/notification-routes")
+    assert resp.status_code == 200
+    assert "items" in resp.json()
+
+    # Create a per-file route
+    file_no = "ROUTE-123"
+    payload = {
+        "scope": "file",
+        "identifier": file_no,
+        "email_to": "a@example.com,b@example.com",
+        "webhook_url": "https://hooks.example.com/qdro",
+        "webhook_secret": "sekret",
+    }
+    resp = client_admin.post("/api/admin/qdro/notification-routes", json=payload)
+    assert resp.status_code == 200, resp.text
+
+    # Verify appears in list
+    resp = client_admin.get("/api/admin/qdro/notification-routes?scope=file")
+    assert resp.status_code == 200
+    items = resp.json().get("items")
+    assert any(it["identifier"] == file_no and it["email_to"] for it in items)
+
+    # Delete route
+    resp = client_admin.delete(f"/api/admin/qdro/notification-routes/file/{file_no}")
+    assert resp.status_code == 200
+    # Verify gone
+    resp = client_admin.get("/api/admin/qdro/notification-routes?scope=file")
+    assert resp.status_code == 200
+    items = resp.json().get("items")
+    assert not any(it["identifier"] == file_no for it in items)
+
+def test_approver_toggle_admin_only(client_admin: TestClient):
+    # Create a user
+    uname = f"u_{uuid.uuid4().hex[:6]}"
+    resp = client_admin.post(
+        "/api/admin/users",
+        json={
+            "username": uname,
+            "email": f"{uname}@example.com",
+            "password": "secret123",
+            "first_name": "A",
+            "last_name": "B",
+            "is_admin": False,
+            "is_active": True,
+            "is_approver": False,
+        },
+    )
+    assert resp.status_code == 200, resp.text
+    user_id = resp.json()["id"]
+
+    # Toggle approver on
+    resp = client_admin.post(f"/api/admin/users/{user_id}/approver", json={"is_approver": True})
+    assert resp.status_code == 200, resp.text
+    assert resp.json()["is_approver"] is True
+
+    # Toggle approver off
+    resp = client_admin.post(f"/api/admin/users/{user_id}/approver", json={"is_approver": False})
+    assert resp.status_code == 200, resp.text
+    assert resp.json()["is_approver"] is False
+
+    # Non-admin should be forbidden
+    app.dependency_overrides[get_current_user] = lambda: _User(False)
+    # Ensure admin override is not present so permission is enforced
+    prev_admin_override = app.dependency_overrides.pop(get_admin_user, None)
+    try:
+        c = TestClient(app)
+        resp = c.post(f"/api/admin/users/{user_id}/approver", json={"is_approver": True})
+        assert_http_error(resp, 403, "Not enough permissions")
+    finally:
+        if prev_admin_override is not None:
+            app.dependency_overrides[get_admin_user] = prev_admin_override
+        app.dependency_overrides.pop(get_current_user, None)
+
+