feat(management-level): scope reads to planning audience

2026-03-30 10:45:44 +02:00
parent c2ca6a6d0d
commit 9b764008c3
5 changed files with 85 additions and 3 deletions
@@ -2,6 +2,7 @@ import { PermissionKey, SystemRole } from "@capakraken/shared";
 import { describe, expect, it, vi } from "vitest";
 import { clientRouter } from "../router/client.js";
 import { countryRouter } from "../router/country.js";
+import { managementLevelRouter } from "../router/management-level.js";
 import { orgUnitRouter } from "../router/org-unit.js";
 import { utilizationCategoryRouter } from "../router/utilization-category.js";
 import { createCallerFactory } from "../trpc.js";
@@ -576,4 +577,72 @@ describe("master-data router authorization", () => {
      include: { _count: { select: { projects: true } } },
    });
  });
+
+  it("requires planning read access for management-level reads", async () => {
+    const listFindMany = vi.fn();
+    const getByIdFindUnique = vi.fn();
+    const caller = createCallerFactory(managementLevelRouter)(createProtectedContext({
+      managementLevelGroup: {
+        findMany: listFindMany,
+        findUnique: getByIdFindUnique,
+      },
+    }));
+
+    await expect(caller.listGroups()).rejects.toMatchObject({
+      code: "FORBIDDEN",
+      message: "Planning read access required",
+    });
+    await expect(caller.getGroupById({ id: "mgmt_group_1" })).rejects.toMatchObject({
+      code: "FORBIDDEN",
+      message: "Planning read access required",
+    });
+
+    expect(listFindMany).not.toHaveBeenCalled();
+    expect(getByIdFindUnique).not.toHaveBeenCalled();
+  });
+
+  it("allows management-level reads for users with planning access", async () => {
+    const listFindMany = vi.fn().mockResolvedValue([
+      {
+        id: "mgmt_group_1",
+        name: "Team Leads",
+        targetPercentage: 0.72,
+        sortOrder: 10,
+        levels: [{ id: "mgmt_level_1", name: "Senior Team Lead" }],
+      },
+    ]);
+    const getByIdFindUnique = vi.fn().mockResolvedValue({
+      id: "mgmt_group_1",
+      name: "Team Leads",
+      targetPercentage: 0.72,
+      sortOrder: 10,
+      levels: [{ id: "mgmt_level_1", name: "Senior Team Lead" }],
+      _count: { resources: 6 },
+    });
+    const caller = createCallerFactory(managementLevelRouter)(createProtectedContext({
+      managementLevelGroup: {
+        findMany: listFindMany,
+        findUnique: getByIdFindUnique,
+      },
+    }, {
+      granted: [PermissionKey.VIEW_PLANNING],
+    }));
+
+    const listResult = await caller.listGroups();
+    const detailResult = await caller.getGroupById({ id: "mgmt_group_1" });
+
+    expect(listResult).toHaveLength(1);
+    expect(detailResult._count.resources).toBe(6);
+    expect(listFindMany).toHaveBeenCalledWith({
+      include: { levels: { orderBy: { name: "asc" } } },
+      orderBy: { sortOrder: "asc" },
+    });
+    expect(getByIdFindUnique).toHaveBeenCalledWith({
+      where: { id: "mgmt_group_1" },
+      include: {
+        levels: { orderBy: { name: "asc" } },
+        _count: { select: { resources: true } },
+      },
+    });
+  });
 });