Add feature flag to enable team syncing setup when not a superuser

endpoints/api/test/test_security.py

@@ -1,3 +1,5 @@
+from mock import patch
+
 import pytest
 from flask_principal import AnonymousIdentity
 
@@ -10,7 +12,7 @@ from endpoints.api.signing import RepositorySignatures
 from endpoints.api.search import ConductRepositorySearch
 from endpoints.api.superuser import SuperUserRepositoryBuildLogs, SuperUserRepositoryBuildResource
 from endpoints.api.superuser import SuperUserRepositoryBuildStatus
-from endpoints.test.shared import client_with_identity
+from endpoints.test.shared import client_with_identity, toggle_feature
 
 from test.fixtures import *
 
@@ -69,3 +71,27 @@ NOTIFICATION_PARAMS = {'namespace': 'devtable', 'repository': 'devtable/simple',
 def test_api_security(resource, method, params, body, identity, expected, client):
   with client_with_identity(identity, client) as cl:
     conduct_api_call(cl, resource, method, params, body, expected)
+
+
+@pytest.mark.parametrize('is_superuser', [
+  (True),
+  (False),
+])
+@pytest.mark.parametrize('allow_nonsuperuser', [
+  (True),
+  (False),
+])
+@pytest.mark.parametrize('method, expected', [
+  ('POST', 400),
+  ('DELETE', 200),
+])
+def test_team_sync_security(is_superuser, allow_nonsuperuser, method, expected, client):
+  def is_superuser_method(_):
+    return is_superuser
+
+  with patch('auth.permissions.superusers.is_superuser', is_superuser_method):
+    with toggle_feature('NONSUPERUSER_TEAM_SYNCING_SETUP', allow_nonsuperuser):
+      with client_with_identity('devtable', client) as cl:
+        expect_success = is_superuser or allow_nonsuperuser
+        expected_status = expected if expect_success else 403
+        conduct_api_call(cl, OrganizationTeamSyncing, method, TEAM_PARAMS, {}, expected_status)