Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat(auth): introduce explicit planning read permission

Browse Source
This commit is contained in:
Hartmut Nörenberg
2026-03-30 09:15:07 +02:00
parent a50ca09333
commit 93c4374973
11 changed files with 293 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/api/src/__tests__/allocation-router.test.ts
+67 -1
View File
@@ -1,4 +1,4 @@
import { AllocationStatus, SystemRole } from "@capakraken/shared";
import { AllocationStatus, PermissionKey, SystemRole } from "@capakraken/shared";
import { beforeEach, describe, expect, it, vi } from "vitest";
import { allocationRouter } from "../router/allocation.js";
import { emitAllocationCreated, emitAllocationDeleted, emitNotificationCreated } from "../sse/event-bus.js";
@@ -92,6 +92,24 @@ function createProtectedCaller(db: Record<string, unknown>) {
});
}
function createProtectedCallerWithOverrides(
db: Record<string, unknown>,
overrides: { granted?: PermissionKey[]; denied?: PermissionKey[] } | null,
) {
return createCaller({
session: {
user: { email: "user@example.com", name: "User", image: null },
expires: "2026-03-13T00:00:00.000Z",
},
db: db as never,
dbUser: {
id: "user_1",
systemRole: SystemRole.USER,
permissionOverrides: overrides,
},
});
}
describe("allocation router authorization", () => {
const planningWindow = {
resourceId: "resource_1",
@@ -140,6 +158,54 @@ describe("allocation router authorization", () => {
});
});
it("allows explicit viewPlanning overrides to read assignment lists", async () => {
const assignment = {
id: "assignment_1",
demandRequirementId: null,
resourceId: "resource_1",
projectId: "project_1",
startDate: new Date("2026-04-01T00:00:00.000Z"),
endDate: new Date("2026-04-02T00:00:00.000Z"),
hoursPerDay: 8,
percentage: 100,
role: "Compositor",
roleId: "role_comp",
dailyCostCents: 40000,
status: AllocationStatus.ACTIVE,
metadata: {},
resource: null,
project: { id: "project_1", name: "Project One", shortCode: "PRJ" },
roleEntity: null,
demandRequirement: null,
};
const db = {
assignment: {
findMany: vi.fn().mockResolvedValue([assignment]),
},
systemSettings: {
findUnique: vi.fn().mockResolvedValue(null),
},
};
const caller = createProtectedCallerWithOverrides(db, {
granted: [PermissionKey.VIEW_PLANNING],
});
const result = await caller.listAssignments({});
expect(result).toEqual([assignment]);
});
it("does not treat viewCosts as a substitute for viewPlanning on planning reads", async () => {
const caller = createProtectedCallerWithOverrides({}, {
granted: [PermissionKey.VIEW_COSTS],
});
await expect(caller.listAssignments({})).rejects.toMatchObject({
code: "FORBIDDEN",
message: "Planning read access required",
});
});
it.each([
{ name: "list", invoke: (caller: ReturnType<typeof createProtectedCaller>) => caller.list({}) },
{ name: "listView", invoke: (caller: ReturnType<typeof createProtectedCaller>) => caller.listView({}) },
packages/api/src/__tests__/project-router.test.ts
+74 -1
View File
@@ -1,4 +1,4 @@
import { OrderType, AllocationType, ProjectStatus, SystemRole } from "@capakraken/shared";
import { OrderType, AllocationType, PermissionKey, ProjectStatus, SystemRole } from "@capakraken/shared";
import { describe, expect, it, vi, beforeEach } from "vitest";
import { invalidateDashboardCache } from "../lib/cache.js";
import { logger } from "../lib/logger.js";
@@ -110,6 +110,24 @@ function createProtectedCaller(db: Record<string, unknown>) {
});
}
function createProtectedCallerWithOverrides(
db: Record<string, unknown>,
overrides: { granted?: PermissionKey[]; denied?: PermissionKey[] } | null,
) {
return createCaller({
session: {
user: { email: "user@example.com", name: "User", image: null },
expires: "2099-01-01T00:00:00.000Z",
},
db: db as never,
dbUser: {
id: "user_1",
systemRole: SystemRole.USER,
permissionOverrides: overrides,
},
});
}
const sampleProject = {
id: "project_1",
shortCode: "PRJ-001",
@@ -748,6 +766,61 @@ describe("project router", () => {
).rejects.toThrow(expect.objectContaining({ code: "FORBIDDEN" }));
});
it("allows explicit viewPlanning overrides to access lightweight project search summaries", async () => {
const db = {
project: {
findMany: vi.fn().mockResolvedValue([
{
id: "project_1",
shortCode: "GDM",
name: "Gelddruckmaschine",
status: ProjectStatus.ACTIVE,
startDate: new Date("2026-01-01T00:00:00.000Z"),
endDate: new Date("2026-03-31T00:00:00.000Z"),
client: { name: "Acme Mobility" },
},
]),
},
};
const caller = createProtectedCallerWithOverrides(db, {
granted: [PermissionKey.VIEW_PLANNING],
});
const result = await caller.searchSummaries({ search: "Gelddruckmaschine", limit: 10 });
expect(result).toEqual([
{
id: "project_1",
code: "GDM",
name: "Gelddruckmaschine",
status: "ACTIVE",
start: "2026-01-01",
end: "2026-03-31",
client: "Acme Mobility",
},
]);
});
it("does not treat viewCosts as a substitute for viewPlanning on lightweight project search summaries", async () => {
const db = {
project: {
findMany: vi.fn(),
},
};
const caller = createProtectedCallerWithOverrides(db, {
granted: [PermissionKey.VIEW_COSTS],
});
await expect(
caller.searchSummaries({ search: "Gelddruckmaschine", limit: 10 }),
).rejects.toThrow(
expect.objectContaining({
code: "FORBIDDEN",
message: "Planning read access required",
}),
);
});
it("returns lightweight project identifier reads from the canonical router", async () => {
const db = {
project: {