feat(platform): harden access scoping and delivery baseline

2026-03-30 00:27:31 +02:00
parent 00b936fa1f
commit 819345acfa
109 changed files with 26142 additions and 8081 deletions
@@ -115,4 +115,80 @@ describe("report router", () => {
    expect(result.csv).toContain("Name,Country Code,Holiday Dates,Holiday Hours Deduction,Absence Hours Deduction,SAH,Target Hours,Unassigned Hours");
    expect(result.csv).toContain("Alice,DE,1,8,4,156,124.8,156");
  });
+
+  it("rejects invalid resource_month period months instead of silently normalizing them", async () => {
+    const caller = createControllerCaller({});
+
+    await expect(caller.getReportData({
+      entity: "resource_month",
+      columns: ["displayName"],
+      filters: [],
+      periodMonth: "2026-13",
+      limit: 10,
+      offset: 0,
+    })).rejects.toMatchObject({
+      code: "BAD_REQUEST",
+      message: expect.stringContaining("Invalid"),
+    });
+  });
+
+  it("rejects unknown columns instead of silently dropping them", async () => {
+    const caller = createControllerCaller({
+      resource: {
+        findMany: vi.fn(),
+        count: vi.fn(),
+      },
+    });
+
+    await expect(caller.getReportData({
+      entity: "resource",
+      columns: ["displayName", "unknownColumn"],
+      filters: [],
+      limit: 10,
+      offset: 0,
+    })).rejects.toMatchObject({
+      code: "BAD_REQUEST",
+      message: expect.stringContaining("unknownColumn"),
+    });
+  });
+
+  it("rejects unsupported relation filters instead of silently ignoring them", async () => {
+    const caller = createControllerCaller({
+      assignment: {
+        findMany: vi.fn(),
+        count: vi.fn(),
+      },
+    });
+
+    await expect(caller.getReportData({
+      entity: "assignment",
+      columns: ["id", "resource.displayName"],
+      filters: [{ field: "resource.displayName", op: "contains", value: "Alice" }],
+      limit: 10,
+      offset: 0,
+    })).rejects.toMatchObject({
+      code: "BAD_REQUEST",
+      message: expect.stringContaining("resource.displayName"),
+    });
+  });
+
+  it("rejects invalid numeric filter values instead of silently dropping them", async () => {
+    const caller = createControllerCaller({
+      resource: {
+        findMany: vi.fn(),
+        count: vi.fn(),
+      },
+    });
+
+    await expect(caller.getReportData({
+      entity: "resource",
+      columns: ["displayName"],
+      filters: [{ field: "lcrCents", op: "gte", value: "not-a-number" }],
+      limit: 10,
+      offset: 0,
+    })).rejects.toMatchObject({
+      code: "BAD_REQUEST",
+      message: expect.stringContaining("lcrCents"),
+    });
+  });
 });