fix(holiday-calendar): scope resource holiday reads

2026-03-30 12:10:52 +02:00
parent c7434c968e
commit 016f862405
4 changed files with 226 additions and 3 deletions
@@ -0,0 +1,179 @@
+import { SystemRole } from "@capakraken/shared";
+import { describe, expect, it, vi } from "vitest";
+import { createCallerFactory } from "../trpc.js";
+import { holidayCalendarRouter } from "../router/holiday-calendar.js";
+
+vi.mock("../lib/audit.js", () => ({
+  createAuditEntry: vi.fn().mockResolvedValue(undefined),
+}));
+
+const createCaller = createCallerFactory(holidayCalendarRouter);
+
+function createContext(
+  db: Record<string, unknown>,
+  options: {
+    role?: SystemRole;
+    session?: boolean;
+  } = {},
+) {
+  const { role = SystemRole.USER, session = true } = options;
+
+  return {
+    session: session
+      ? {
+          user: { email: "user@example.com", name: "User", image: null },
+          expires: "2099-01-01T00:00:00.000Z",
+        }
+      : null,
+    db: db as never,
+    dbUser: session
+      ? {
+          id: role === SystemRole.ADMIN ? "user_admin" : role === SystemRole.MANAGER ? "user_mgr" : "user_1",
+          systemRole: role,
+          permissionOverrides: null,
+        }
+      : null,
+  };
+}
+
+function resolveInput(resourceId: string) {
+  return {
+    resourceId,
+    periodStart: new Date("2026-01-01T00:00:00.000Z"),
+    periodEnd: new Date("2026-12-31T00:00:00.000Z"),
+  };
+}
+
+describe("holiday calendar router authorization", () => {
+  it("requires authentication for resource holiday resolution", async () => {
+    const resourceFindFirst = vi.fn();
+    const resourceFindUnique = vi.fn();
+    const caller = createCaller(createContext({
+      resource: {
+        findFirst: resourceFindFirst,
+        findUnique: resourceFindUnique,
+      },
+      holidayCalendar: {
+        findMany: vi.fn(),
+      },
+    }, { session: false }));
+
+    await expect(caller.resolveResourceHolidays(resolveInput("res_1"))).rejects.toMatchObject({
+      code: "UNAUTHORIZED",
+      message: "Authentication required",
+    });
+
+    expect(resourceFindFirst).not.toHaveBeenCalled();
+    expect(resourceFindUnique).not.toHaveBeenCalled();
+  });
+
+  it("forbids regular users from resolving another resource's holidays", async () => {
+    const resourceFindUnique = vi.fn();
+    const holidayCalendarFindMany = vi.fn();
+    const caller = createCaller(createContext({
+      resource: {
+        findFirst: vi.fn().mockResolvedValue({ id: "res_own" }),
+        findUnique: resourceFindUnique,
+      },
+      holidayCalendar: {
+        findMany: holidayCalendarFindMany,
+      },
+    }));
+
+    await expect(caller.resolveResourceHolidays(resolveInput("res_other"))).rejects.toMatchObject({
+      code: "FORBIDDEN",
+      message: "You can only view holiday data for your own resource",
+    });
+
+    expect(resourceFindUnique).not.toHaveBeenCalled();
+    expect(holidayCalendarFindMany).not.toHaveBeenCalled();
+  });
+
+  it("allows regular users to resolve holidays for their own resource", async () => {
+    const resourceFindUnique = vi.fn().mockResolvedValue({
+      id: "res_own",
+      eid: "EMP-001",
+      displayName: "Alice Example",
+      federalState: "BY",
+      countryId: "country_de",
+      metroCityId: null,
+      country: { code: "DE", name: "Deutschland" },
+      metroCity: null,
+    });
+    const caller = createCaller(createContext({
+      resource: {
+        findFirst: vi.fn().mockResolvedValue({ id: "res_own" }),
+        findUnique: resourceFindUnique,
+      },
+      holidayCalendar: {
+        findMany: vi.fn().mockResolvedValue([]),
+      },
+    }));
+
+    const result = await caller.resolveResourceHolidays(resolveInput("res_own"));
+
+    expect(result.resource).toEqual({
+      id: "res_own",
+      eid: "EMP-001",
+      name: "Alice Example",
+      country: "Deutschland",
+      countryCode: "DE",
+      federalState: "BY",
+      metroCity: null,
+    });
+    expect(resourceFindUnique).toHaveBeenCalledWith({
+      where: { id: "res_own" },
+      select: {
+        id: true,
+        eid: true,
+        displayName: true,
+        federalState: true,
+        countryId: true,
+        metroCityId: true,
+        country: { select: { code: true, name: true } },
+        metroCity: { select: { name: true } },
+      },
+    });
+  });
+
+  it("allows managers to resolve holidays for other resources", async () => {
+    const resourceFindFirst = vi.fn();
+    const resourceFindUnique = vi.fn().mockResolvedValue({
+      id: "res_other",
+      eid: "EMP-002",
+      displayName: "Bob Example",
+      federalState: "BY",
+      countryId: "country_de",
+      metroCityId: null,
+      country: { code: "DE", name: "Deutschland" },
+      metroCity: null,
+    });
+    const caller = createCaller(createContext({
+      resource: {
+        findFirst: resourceFindFirst,
+        findUnique: resourceFindUnique,
+      },
+      holidayCalendar: {
+        findMany: vi.fn().mockResolvedValue([]),
+      },
+    }, { role: SystemRole.MANAGER }));
+
+    const result = await caller.resolveResourceHolidays(resolveInput("res_other"));
+
+    expect(result.resource.id).toBe("res_other");
+    expect(resourceFindFirst).not.toHaveBeenCalled();
+    expect(resourceFindUnique).toHaveBeenCalledWith({
+      where: { id: "res_other" },
+      select: {
+        id: true,
+        eid: true,
+        displayName: true,
+        federalState: true,
+        countryId: true,
+        metroCityId: true,
+        country: { select: { code: true, name: true } },
+        metroCity: { select: { name: true } },
+      },
+    });
+  });
+});
@@ -435,6 +435,7 @@ describe("holiday calendar router", () => {
  it("formats resolved holidays for a resource including local city holidays", async () => {
    const db = {
      resource: {
+        findFirst: vi.fn().mockResolvedValue({ id: "res_1" }),
        findUnique: vi.fn().mockResolvedValue({
          id: "res_1",
          eid: "bruce.banner",
@@ -14,7 +14,7 @@ import { asHolidayResolverDb, getResolvedCalendarHolidays } from "../lib/holiday
 import { createTRPCRouter, adminProcedure, protectedProcedure, type TRPCContext } from "../trpc.js";

 type HolidayCalendarScope = HolidayCalendarScopeInput;
-type HolidayReadContext = Pick<TRPCContext, "db">;
+type HolidayReadContext = Pick<TRPCContext, "db" | "dbUser">;

 const HOLIDAY_SCOPE = {
  COUNTRY: "COUNTRY",
@@ -119,6 +119,45 @@ function formatHolidayCalendarDetail(calendar: {
  };
 }

+function canManageHolidayResourceReads(ctx: { dbUser: { systemRole: string } | null }): boolean {
+  const role = ctx.dbUser?.systemRole;
+  return role === "ADMIN" || role === "MANAGER";
+}
+
+async function findOwnedHolidayResourceId(ctx: HolidayReadContext): Promise<string | null> {
+  if (!ctx.dbUser?.id) {
+    return null;
+  }
+
+  if (!ctx.db.resource || typeof ctx.db.resource.findFirst !== "function") {
+    return null;
+  }
+
+  const resource = await ctx.db.resource.findFirst({
+    where: { userId: ctx.dbUser.id },
+    select: { id: true },
+  });
+
+  return resource?.id ?? null;
+}
+
+async function assertCanReadHolidayResource(
+  ctx: HolidayReadContext,
+  resourceId: string,
+): Promise<void> {
+  if (canManageHolidayResourceReads(ctx)) {
+    return;
+  }
+
+  const ownedResourceId = await findOwnedHolidayResourceId(ctx);
+  if (!ownedResourceId || ownedResourceId !== resourceId) {
+    throw new TRPCError({
+      code: "FORBIDDEN",
+      message: "You can only view holiday data for your own resource",
+    });
+  }
+}
+
 function formatResolvedHolidayDetail(holiday: {
  date: string;
  name: string;
@@ -396,6 +435,8 @@ async function readResolvedResourceHolidaysSnapshot(
  ctx: HolidayReadContext,
  input: z.infer<typeof ResolveResourceHolidaysInputSchema>,
 ) {
+  await assertCanReadHolidayResource(ctx, input.resourceId);
+
  const resource = await findUniqueOrThrow(
    ctx.db.resource.findUnique({
      where: { id: input.resourceId },