canonical · marceloneppel · Jun 13, 2025 · May 6, 2025 · May 6, 2025 · May 6, 2025
diff --git a/tests/integration/test_predefined_roles.py b/tests/integration/test_predefined_roles.py
@@ -106,6 +106,7 @@ async def test_charmed_read_role(ops_test: OpsTest):
         connection.autocommit = True
 
         with connection.cursor() as cursor:
+            logger.info("Checking that the charmed_read role can read from the database")
             cursor.execute("RESET ROLE;")
             cursor.execute(
                 "SELECT table_name FROM information_schema.tables WHERE table_name NOT LIKE 'pg_%' AND table_name NOT LIKE 'sql_%' AND table_type <> 'VIEW';"
@@ -118,6 +119,19 @@ async def test_charmed_read_role(ops_test: OpsTest):
             assert data == sorted(["test_data", "test_data_2"]), (
                 "Unexpected data in charmed_read_database with charmed_read role"
             )
+            logger.info("Checking that the charmed_read role cannot create a new table")
+            with pytest.raises(psycopg2.errors.InsufficientPrivilege):
+                cursor.execute("CREATE TABLE test_table_2 (id INTEGER);")
+    connection.close()
+
+    with psycopg2.connect(connection_string) as connection, connection.cursor() as cursor:
+        logger.info("Checking that the charmed_read role cannot write to an existing table")
+        cursor.execute("RESET ROLE;")
+        with pytest.raises(psycopg2.errors.InsufficientPrivilege):
+            cursor.execute(
+                "INSERT INTO test_table (data) VALUES ('test_data_3'), ('test_data_4');"
+            )
+    connection.close()
 
     await ops_test.model.applications[DATABASE_APP_NAME].remove_relation(
         f"{DATABASE_APP_NAME}:database", f"{DATA_INTEGRATOR_APP_NAME}:postgresql"