@@ -332,6 +332,14 @@ def test_get_organization_user_databases(docker_url):
332332 client .create_organization (org_name )
333333 client .create_database (db_name , team = org_name )
334334 client .create_database (db_name2 , team = org_name )
335+
336+ # BEFORE grant: verify our specific databases are NOT accessible to admin user
337+ databases_before = client .get_organization_user_databases (org = org_name , username = "admin" )
338+ db_names_before = {db ['name' ] for db in databases_before }
339+ assert db_name not in db_names_before , f"{ db_name }
340+ assert db_name2 not in db_names_before , f"{ db_name2 }
341+
342+ # Grant capabilities to admin user for the organization
335343 capability_change = {
336344 "operation" : "grant" ,
337345 "scope" : f"Organization/{ org_name } ,
@@ -341,10 +349,15 @@ def test_get_organization_user_databases(docker_url):
341349 ]
342350 }
343351 client .change_capabilities (capability_change )
344- databases = client .get_organization_user_databases (org = org_name , username = "admin" )
345- assert len (databases ) == 2
346- assert databases [0 ]['name' ] == db_name
347- assert databases [1 ]['name' ] == db_name2
352+
353+ # AFTER grant: verify our specific databases ARE accessible to admin user
354+ databases_after = client .get_organization_user_databases (org = org_name , username = "admin" )
355+ db_names_after = {db ['name' ] for db in databases_after }
356+ # Check both our databases are now accessible (order not guaranteed)
357+ assert db_name in db_names_after , f"{ db_name }
358+ assert db_name2 in db_names_after , f"{ db_name2 }
359+ # Verify admin team database does NOT appear in organization results
360+ assert db_name + "admin" not in db_names_after , f"{ db_name } { org_name }
348361
349362
350363def test_has_database (docker_url ):
0 commit comments