antosubash · antosubash · May 23, 2026 · May 23, 2026 · May 23, 2026
diff --git a/tests/e2e/tests/flows/filestorage-crud.spec.ts b/tests/e2e/tests/flows/filestorage-crud.spec.ts
@@ -153,14 +153,16 @@ test.describe('FileStorage permissions', () => {
           },
         },
       });
-      expect(response.status()).toBe(302);
+      // API endpoints return 401 for unauthenticated requests (no redirect for non-browser clients)
+      expect(response.status()).toBe(401);
     });
 
     test('delete is rejected', async ({ request }) => {
       const response = await request.delete('/api/files/1', {
         maxRedirects: 0,
       });
-      expect(response.status()).toBe(302);
+      // API endpoints return 401 for unauthenticated requests (no redirect for non-browser clients)
+      expect(response.status()).toBe(401);
     });
   });
 });
diff --git a/tests/e2e/tests/flows/permissions.spec.ts b/tests/e2e/tests/flows/permissions.spec.ts
@@ -15,7 +15,7 @@ test.describe('Permission System', () => {
     });
 
     test('can access settings page', async ({ page }) => {
-      await page.goto('/settings');
+      await page.goto('/settings/me');
       await expect(page.getByRole('heading', { name: /settings/i })).toBeVisible();
     });
   });
@@ -25,10 +25,10 @@ test.describe('Permission System', () => {
     test.use({ storageState: { cookies: [], origins: [] } });
 
     test('admin API rejects unauthenticated request', async ({ request }) => {
-      const response = await request.get('/api/admin/users', {
+      const response = await request.get('/admin/users', {
         maxRedirects: 0,
       });
-      // Identity cookie scheme returns 302 redirect to login for unauthenticated requests
+      // Identity cookie scheme returns 302 redirect to login for unauthenticated browser requests
       expect(response.status()).toBe(302);
     });