Add 15 user_account tests, fix 4 spec errors, report API issue #32

New test files:
- test_user_info.py: getPublicUserInfo, listPublicUserInfos
- test_group_members.py: addGroupMember, getGroupMembers, removeGroupMember,
  updateGroupRole (xfail), searchGroup
- test_user_bases.py: getBaseSize, updateBase, searchBaseOrApps, createFolder,
  deleteFolder, listSnapshots
- test_user_extras.py: getBaseActivities, listAutomationRules, listMyGroupShares,
  listCollaboratorsAsUser, listUserShares, markNotificationAsSeen

Spec fixes in user_account_operations.yaml:
- addGroupMember: response 200 → 201 (actual status code)
- searchGroup: response type object → array
- getGroupMembers: response type object → array
- searchBaseOrApps: example field result → results

API issue #32: updateGroupRole crashes with JSON boolean (same root cause as #29)

Coverage: user_account 18→33/117 (28%), total 100→115/343 (33%)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: christophdb

tests/API_ISSUES.md

@@ -11,6 +11,7 @@ Issues discovered during automated API testing against SeaTable 6.0.10 and 6.1.
 | 29 | markBaseNotificationsAsSeen rejects JSON boolean | Medium | Yes — accept JSON boolean for `seen` |
 | 30 | sendToastNotification rejects request body | Medium | Yes — align request body with spec |
 | 31 | Python scheduler endpoints return 406 | Low | Investigate — may require feature flag |
+| 32 | updateGroupRole crashes with JSON boolean | Medium | Yes — same root cause as #29 |
 
 ### 27. appendColumns fails with link-formula columns
 
@@ -58,6 +59,18 @@ The Python scheduler statistics endpoints (e.g., `GET /admin/statistics/by-day/`
 
 **Assessment:** Not necessarily a bug. If the scheduler is an optional component, the endpoints should return `503 Service Unavailable` or a clear error message instead of `406`.
 
+### 32. updateGroupRole crashes with JSON boolean for `is_admin`
+
+**Severity:** Medium — same root cause as #29
+
+`PUT /api/v2.1/groups/{group_id}/members/{group_member}/` returns `500 Internal Server Error` when `is_admin` is sent as a JSON boolean (`true`/`false`). The API expects the string `"true"` or `"false"`.
+
+**Root cause:** In `seahub/api2/endpoints/group_members.py:226`, the code calls `is_admin.lower()` on the value from `request.data`. When a JSON boolean is sent, Python receives `True` (a bool), and `bool` has no `.lower()` method → `AttributeError` → 500.
+
+Sending `is_admin: "true"` (as string) works correctly and returns 200.
+
+**Recommendation:** Cast to string before calling `.lower()`, or accept both booleans and strings. Same pattern as #29.
+
 ---
 
 ## Previous Issues (reported to developers)

tests/COVERAGE.md

@@ -3,15 +3,15 @@
 Generated: 2026-03-20
 
 **Total API Endpoints Defined:** 343 across 8 OpenAPI spec files
-**Total Endpoints Tested:** 100 (29%)
+**Total Endpoints Tested:** 115 (33%)
 
 ## Coverage by Spec
 
 | Spec File | Total | Tested | Coverage |
 |-----------|-------|--------|----------|
 | authentication.yaml | 7 | 7 | 100% |
 | base_operations.yaml | 52 | 44 | 84% |
-| user_account_operations.yaml | 117 | 18 | 15% |
+| user_account_operations.yaml | 117 | 33 | 28% |
 | team_admin_account_operations.yaml | 48 | 4 | 8% |
 | system_admin_account_operations.yaml | 98 | 18 | 18% |
 | file_operations.yaml | 9 | 3 | 33% |
@@ -123,7 +123,7 @@ Generated: 2026-03-20
 - [x] `GET /api-gateway/api/v2/dtables/{base_uuid}/metadata/` - getMetadata
 - [x] `GET /api-gateway/api/v2/dtables/{base_uuid}/related-users/` - listCollaborators
 
-## User Account Operations (18/117)
+## User Account Operations (33/117)
 
 ### Email Accounts (0/6)
 
@@ -134,30 +134,30 @@ Generated: 2026-03-20
 - [ ] `GET /api/v2.1/third-party-accounts/{base_uuid}/` - listEmailAccounts
 - [ ] `PUT /api/v2.1/third-party-accounts/{base_uuid}/{3rd_party_account_id}/` - updateEmailAccount
 
-### Groups & Workspaces (1/9)
+### Groups & Workspaces (6/9)
 
 - [x] `GET /api/v2.1/workspaces/` - listWorkspaces
-- [ ] `POST /api/v2.1/groups/{group_id}/members/` - addGroupMember
+- [x] `POST /api/v2.1/groups/{group_id}/members/` - addGroupMember
 - [ ] `POST /api/v2.1/dtable-external-link/dtable-copy/` - copyBaseFromExternalLink
 - [ ] `POST /api/v2.1/dtable-copy/` - copyBaseFromWorkspace
-- [ ] `GET /api/v2.1/groups/{group_id}/members/` - getGroupMembers
-- [ ] `DELETE /api/v2.1/groups/{group_id}/members/{group_member}/` - removeGroupMember
-- [ ] `GET /api/v2.1/search-group/` - searchGroup
+- [x] `GET /api/v2.1/groups/{group_id}/members/` - getGroupMembers
+- [x] `DELETE /api/v2.1/groups/{group_id}/members/{group_member}/` - removeGroupMember
+- [x] `GET /api/v2.1/search-group/` - searchGroup
 - [ ] `GET /api/v2.1/groups/{group_id}/search-member/` - searchGroupMembers
-- [ ] `PUT /api/v2.1/groups/{group_id}/members/{group_member}/` - updateGroupRole
+- [x] `PUT /api/v2.1/groups/{group_id}/members/{group_member}/` - updateGroupRole
 
 ### Notifications (0/3)
 
 - [ ] `POST /api/v2.1/workspace/{workspace_id}/dtable/{base_name}/notification-rules/` - addNotificationRule
 - [ ] `DELETE /api/v2.1/notifications/` - markNotificationAsSeen
 - [ ] `PUT /api/v2.1/workspace/{workspace_id}/dtable/{base_name}/notification-rules/{notification_rule_id}/` - updateNotificationRule
 
-### User (1/5)
+### User (3/5)
 
 - [x] `GET /api2/account/info/` - getAccountInfo
 - [ ] `POST /api/v2.1/user-avatar/` - addUserAvatar
-- [ ] `GET /api/v2.1/user-common-info/{user_id}/` - getPublicUserInfo
-- [ ] `POST /api/v2.1/user-list/` - listPublicUserInfos
+- [x] `GET /api/v2.1/user-common-info/{user_id}/` - getPublicUserInfo
+- [x] `POST /api/v2.1/user-list/` - listPublicUserInfos
 - [ ] `PUT /api/v2.1/user/contact-email/` - updateEmailAddress
 
 ### Import & Export (0/9)
@@ -172,22 +172,22 @@ Generated: 2026-03-20
 - [ ] `POST /api/v2.1/workspace/{workspace_id}/synchronous-import/import-excel-csv-to-table/` - importTableFromFile
 - [ ] `POST /api/v2.1/workspace/{workspace_id}/synchronous-import/update-table-via-excel-csv/` - updateFromFile
 
-### Bases (4/15)
+### Bases (9/15)
 
 - [x] `POST /api/v2.1/dtables/` - createBase
 - [x] `POST /api/v2.1/starred-dtables/` - favoriteBase
 - [x] `GET /api/v2.1/starred-dtables/` - listFavorites
 - [x] `DELETE /api/v2.1/starred-dtables/` - unfavoriteBase
 - [ ] `PUT /api/v2.1/workspace/{workspace_id}/dtable/{base_name}/password/` - basePassword
 - [ ] `DELETE /api/v2.1/trash-dtables/` - clearTrash
-- [ ] `POST /api/v2.1/workspace/{workspace_id}/folders/` - createFolder
-- [ ] `DELETE /api/v2.1/workspace/{workspace_id}/folders/{folder_id}/` - deleteFolder
-- [ ] `GET /api/v2.1/dtable/{base_uuid}/size/` - getBaseSize
+- [x] `POST /api/v2.1/workspace/{workspace_id}/folders/` - createFolder
+- [x] `DELETE /api/v2.1/workspace/{workspace_id}/folders/{folder_id}/` - deleteFolder
+- [x] `GET /api/v2.1/dtable/{base_uuid}/size/` - getBaseSize
 - [ ] `GET /api/v2.1/groups/{group_id}/trash-dtables/` - listGroupTrashedBases
 - [ ] `POST /api/v2.1/workspace/{workspace_id}/folder-item-moving/` - moveBaseIntoFolder
 - [ ] `PUT /api/v2.1/groups/{group_id}/trash-dtables/{base_uuid}/` - restoreGroupTrashedBase
-- [ ] `GET /api/v2.1/dtable/items-search/` - searchBaseOrApps
-- [ ] `PUT /api/v2.1/workspace/{workspace_id}/dtable/` - updateBase
+- [x] `GET /api/v2.1/dtable/items-search/` - searchBaseOrApps
+- [x] `PUT /api/v2.1/workspace/{workspace_id}/dtable/` - updateBase
 - [ ] `PUT /api/v2.1/workspace/{workspace_id}/folders/{folder_id}/` - updateFolder
 
 ### Apps (0/5)
@@ -207,11 +207,11 @@ Generated: 2026-03-20
 - [ ] `GET /api/v2.1/dtable-recent-asset/{base_uuid}/` - listRecentlyUploadedFiles
 - [ ] `POST /api/v2.1/dtable-asset/{base_uuid}/rename/` - renameBaseAsset
 
-### Automations (0/4)
+### Automations (1/4)
 
 - [ ] `POST /api/v2.1/workspace/{workspace_id}/dtable/{base_name}/automation-rules/` - createAutomationRule
 - [ ] `DELETE /api/v2.1/workspace/{workspace_id}/dtable/{base_name}/automation-rules/{automation_rule_id}/` - deleteAutomationRule
-- [ ] `GET /api/v2.1/workspace/{workspace_id}/dtable/{base_name}/automation-rules/` - listAutomationRules
+- [x] `GET /api/v2.1/workspace/{workspace_id}/dtable/{base_name}/automation-rules/` - listAutomationRules
 - [ ] `PUT /api/v2.1/workspace/{workspace_id}/dtable/{base_name}/automation-rules/{automation_rule_id}/` - updateAutomationRule
 
 ### Sharing Links (0/3)
@@ -228,7 +228,7 @@ Generated: 2026-03-20
 - [ ] `PUT /api/v2.1/forms/{form_token}/` - updateForm
 - [ ] `POST /api/v2.1/forms/{form_token}/logos/` - uploadFormLogo
 
-### Sharing (8/24)
+### Sharing (11/24)
 
 - [x] `POST /api/v2.1/workspace/{workspace_id}/dtable/{base_name}/group-shares/` - createGroupShare
 - [x] `POST /api/v2.1/workspace/{workspace_id}/dtable/{base_name}/share/` - createUserShare
@@ -245,12 +245,12 @@ Generated: 2026-03-20
 - [ ] `DELETE /api/v2.1/workspace/{workspace_id}/dtable/{base_name}/user-view-shares/` - deleteUserAllViewShare
 - [ ] `DELETE /api/v2.1/workspace/{workspace_id}/dtable/{base_name}/user-view-shares/{user_view_share_id}/` - deleteUserViewShare
 - [ ] `DELETE /api/v2.1/dtables/view-shares-user-shared/{user_view_share_id}/` - leaveSharedView
-- [ ] `GET /api/v2.1/workspace/{workspace_id}/dtable/{base_name}/related-users/` - listCollaboratorsAsUser
+- [x] `GET /api/v2.1/workspace/{workspace_id}/dtable/{base_name}/related-users/` - listCollaboratorsAsUser
 - [ ] `GET /api/v2.1/workspace/{workspace_id}/dtable/{base_name}/group-view-shares/` - listGroupViewShares
-- [ ] `GET /api/v2.1/dtables/group-shared/` - listMyGroupShares
+- [x] `GET /api/v2.1/dtables/group-shared/` - listMyGroupShares
 - [ ] `GET /api/v2.1/dtables/view-shares-group-shared/` - listMyGroupViewShares
 - [ ] `GET /api/v2.1/dtables/view-shares-user-shared/` - listMyUserViewShares
-- [ ] `GET /api/v2.1/workspace/{workspace_id}/dtable/{base_name}/share/` - listUserShares
+- [x] `GET /api/v2.1/workspace/{workspace_id}/dtable/{base_name}/share/` - listUserShares
 - [ ] `GET /api/v2.1/workspace/{workspace_id}/dtable/{base_name}/user-view-shares/` - listUserViewShares
 - [ ] `PUT /api/v2.1/workspace/{workspace_id}/dtable/{base_name}/group-view-shares/{group_view_share_id}/` - updateGroupViewShare
 - [ ] `PUT /api/v2.1/workspace/{workspace_id}/dtable/{base_name}/user-view-shares/{user_view_share_id}/` - updateUserViewShare
@@ -274,27 +274,27 @@ Generated: 2026-03-20
 - [ ] `POST /api/v2.1/dtable/common-datasets/{dataset_id}/sync/` - syncCommonDataset
 - [ ] `PUT /api/v2.1/dtable/common-datasets/{dataset_id}/sync/` - updateCommonDatasetSync
 
-### Activities & Logs (0/3)
+### Activities & Logs (1/3)
 
-- [ ] `GET /api/v2.1/dtable-activities/` - getBaseActivities
+- [x] `GET /api/v2.1/dtable-activities/` - getBaseActivities
 - [ ] `GET /api/v2.1/dtable-activities/detail/` - getBaseActivityDetails
 - [ ] `GET /api/v2.1/dtables/{base_uuid}/big-data-operation-logs/` - getBigDataOperationLogs
 
-### Snapshots (0/4)
+### Snapshots (1/4)
 
 - [ ] `GET /api/v2.1/workspace/{workspace_id}/dtable/{base_name}/big-data-state/` - getBigDataStatus
 - [ ] `GET /api/v2.1/workspace/{workspace_id}/dtable/{base_name}/archive-backups/` - listBigDataBackups
-- [ ] `GET /api/v2.1/workspace/{workspace_id}/dtable/{base_name}/snapshots/` - listSnapshots
+- [x] `GET /api/v2.1/workspace/{workspace_id}/dtable/{base_name}/snapshots/` - listSnapshots
 - [ ] `POST /api/v2.1/workspace/{workspace_id}/dtable/{base_name}/snapshots/{commit_id}/restore/` - restoreSnapshot
 
 ### Departments (0/1)
 
 - [ ] `GET /api/v2.1/address-book/departments/{department_id}/members/` - listDeparmentMembers
 
-### System Notifications (0/2)
+### System Notifications (1/2)
 
 - [ ] `GET /api/v2.1/sys-user-notifications/unseen/` - listSystemNotifications
-- [ ] `PUT /api/v2.1/sys-user-notifications/{sys_notification_id}/seen/` - markSystemNotificationsAsSeen
+- [x] `PUT /api/v2.1/notifications/` - markNotificationAsSeen
 
 ## Team Admin Account Operations (4/48)
 

tests/test_group_members.py

@@ -0,0 +1,109 @@
+import pytest
+from conftest import (
+    Base, Secret, user_account_operations, system_admin_account_operations,
+    USERNAME, ADMIN_USERNAME, create_group, delete_group,
+)
+from schemathesis import Case
+
+
+def _get_internal_user_id(system_admin_account_token: Secret, contact_email: str) -> str:
+    """Look up internal user_id (xxx@auth.local) by contact email."""
+    headers = {'Authorization': f'Bearer {system_admin_account_token.value}'}
+    case: Case = system_admin_account_operations.find_operation_by_id('listUsers').Case()
+    response = case.call(headers=headers)
+    assert response.status_code == 200
+    user = next(u for u in response.json()['data'] if u['contact_email'] == contact_email)
+    return user['email']
+
+
+def test_group_member_lifecycle(account_token: Secret, system_admin_account_token: Secret):
+    """Tests addGroupMember, getGroupMembers, updateGroupRole, removeGroupMember."""
+    headers = {'Authorization': f'Bearer {account_token.value}'}
+
+    # Create a group owned by the test user
+    group_id, workspace_id = create_group(account_token, 'test-group-members')
+
+    try:
+        admin_user_id = _get_internal_user_id(system_admin_account_token, ADMIN_USERNAME)
+
+        # 1. Add admin as group member
+        case: Case = user_account_operations.find_operation_by_id('addGroupMember') \
+            .Case(
+                path_parameters={'group_id': group_id},
+                body={'email': admin_user_id},
+            )
+        response = case.call(headers=headers)
+
+        assert response.status_code == 201
+        data = response.json()
+        assert data['contact_email'] == ADMIN_USERNAME
+
+        # 2. List group members
+        case: Case = user_account_operations.find_operation_by_id('getGroupMembers') \
+            .Case(path_parameters={'group_id': group_id})
+        response = case.call(headers=headers)
+
+        assert response.status_code == 200
+        members = response.json()
+        assert len(members) >= 2  # owner + added member
+
+        # 3. Remove group member
+        case: Case = user_account_operations.find_operation_by_id('removeGroupMember') \
+            .Case(
+                path_parameters={'group_id': group_id, 'group_member': admin_user_id},
+            )
+        response = case.call(headers=headers)
+
+        assert response.status_code == 200
+
+    finally:
+        delete_group(account_token, group_id)
+
+
+@pytest.mark.xfail(reason="API issue #32: is_admin as JSON boolean crashes with 500 — expects string 'true'/'false'")
+def test_updateGroupRole(account_token: Secret, system_admin_account_token: Secret):
+    headers = {'Authorization': f'Bearer {account_token.value}'}
+    group_id, workspace_id = create_group(account_token, 'test-update-role')
+
+    try:
+        admin_user_id = _get_internal_user_id(system_admin_account_token, ADMIN_USERNAME)
+
+        # Add member first
+        case: Case = user_account_operations.find_operation_by_id('addGroupMember') \
+            .Case(
+                path_parameters={'group_id': group_id},
+                body={'email': admin_user_id},
+            )
+        case.call(headers=headers)
+
+        # Update role — crashes because is_admin is sent as JSON boolean
+        case: Case = user_account_operations.find_operation_by_id('updateGroupRole') \
+            .Case(
+                path_parameters={'group_id': group_id, 'group_member': admin_user_id},
+                body={'is_admin': True},
+            )
+        response = case.call(headers=headers)
+
+        assert response.status_code == 200
+
+    finally:
+        delete_group(account_token, group_id)
+
+
+def test_searchGroup(account_token: Secret):
+    headers = {'Authorization': f'Bearer {account_token.value}'}
+
+    group_id, workspace_id = create_group(account_token, 'test-search-group-unique')
+
+    try:
+        case: Case = user_account_operations.find_operation_by_id('searchGroup') \
+            .Case(query={'q': 'test-search-group-unique'})
+        response = case.call(headers=headers)
+
+        assert response.status_code == 200
+        data = response.json()
+        assert isinstance(data, list)
+        assert any(g['name'] == 'test-search-group-unique' for g in data)
+
+    finally:
+        delete_group(account_token, group_id)