[TESTING] Add security tests for permission bypass scenarios

[7tg]

Description

Missing test coverage for permission bypass attempts and authentication edge cases.

Missing Tests

Permission Bypass Tests

• test_related_without_view_permission - Verify handle_related() denies access
• test_history_without_view_permission - Verify handle_history() denies access
• test_autocomplete_without_view_permission - Verify handle_autocomplete() denies access
• test_describe_without_view_permission - Verify handle_describe() denies access
• test_find_models_filters_by_permission - Verify only accessible models returned
• test_inline_create_without_add_permission - Verify inline permission escalation blocked
• test_inline_delete_without_delete_permission - Verify inline delete denied

Token Tests

• test_token_expiration_at_exact_boundary - Token expires at timezone.now()
• test_inactive_token_not_marked_used - Inactive tokens don't update last_used_at
• test_token_permissions_not_cached_after_revocation - Revoked permissions take effect
• test_permission_denied_does_not_leak_model_existence - Same error for non-existent and forbidden

Input Validation Tests

• test_sql_injection_in_filter_keys - Malicious filter key names
• test_order_by_with_raw_sql_attempt - SQL in ordering parameter
• test_filter_with_dangerous_lookups - regex, raw lookups rejected

Example Test

@pytest.mark.django_db
@pytest.mark.asyncio
async def test_related_without_view_permission(token_without_permissions, async_client):
    """Verify handle_related denies access without view permission."""
    response = await async_client.post(
        "/mcp/",
        json={"method": "tools/call", "params": {"name": "related_article", ...}},
        headers={"Authorization": f"Bearer {token_without_permissions.token}"}
    )
    assert response.status_code == 200
    data = response.json()
    assert "permission_denied" in str(data)