feat(auth): tighten allocation read audiences

2026-03-30 09:03:44 +02:00
parent db45829eca
commit a50ca09333
3 changed files with 130 additions and 13 deletions
@@ -62,6 +62,123 @@ function createManagerCaller(db: Record<string, unknown>) {
  });
 }

+function createControllerCaller(db: Record<string, unknown>) {
+  return createCaller({
+    session: {
+      user: { email: "controller@example.com", name: "Controller", image: null },
+      expires: "2026-03-13T00:00:00.000Z",
+    },
+    db: db as never,
+    dbUser: {
+      id: "user_controller",
+      systemRole: SystemRole.CONTROLLER,
+      permissionOverrides: null,
+    },
+  });
+}
+
+function createProtectedCaller(db: Record<string, unknown>) {
+  return createCaller({
+    session: {
+      user: { email: "user@example.com", name: "User", image: null },
+      expires: "2026-03-13T00:00:00.000Z",
+    },
+    db: db as never,
+    dbUser: {
+      id: "user_1",
+      systemRole: SystemRole.USER,
+      permissionOverrides: null,
+    },
+  });
+}
+
+describe("allocation router authorization", () => {
+  const planningWindow = {
+    resourceId: "resource_1",
+    startDate: new Date("2026-04-01T00:00:00.000Z"),
+    endDate: new Date("2026-04-02T00:00:00.000Z"),
+    hoursPerDay: 8,
+  };
+
+  it("allows controllers to read assignment lists through the planning audience", async () => {
+    const assignment = {
+      id: "assignment_1",
+      demandRequirementId: null,
+      resourceId: "resource_1",
+      projectId: "project_1",
+      startDate: new Date("2026-04-01T00:00:00.000Z"),
+      endDate: new Date("2026-04-02T00:00:00.000Z"),
+      hoursPerDay: 8,
+      percentage: 100,
+      role: "Compositor",
+      roleId: "role_comp",
+      dailyCostCents: 40000,
+      status: AllocationStatus.ACTIVE,
+      metadata: {},
+      resource: null,
+      project: { id: "project_1", name: "Project One", shortCode: "PRJ" },
+      roleEntity: null,
+      demandRequirement: null,
+    };
+    const db = {
+      assignment: {
+        findMany: vi.fn().mockResolvedValue([assignment]),
+      },
+      systemSettings: {
+        findUnique: vi.fn().mockResolvedValue(null),
+      },
+    };
+
+    const caller = createControllerCaller(db);
+    const result = await caller.listAssignments({});
+
+    expect(result).toEqual([assignment]);
+    expect(db.assignment.findMany).toHaveBeenCalledWith({
+      where: {},
+      include: expect.any(Object),
+      orderBy: { startDate: "asc" },
+    });
+  });
+
+  it.each([
+    { name: "list", invoke: (caller: ReturnType<typeof createProtectedCaller>) => caller.list({}) },
+    { name: "listView", invoke: (caller: ReturnType<typeof createProtectedCaller>) => caller.listView({}) },
+    { name: "listDemands", invoke: (caller: ReturnType<typeof createProtectedCaller>) => caller.listDemands({}) },
+    { name: "listAssignments", invoke: (caller: ReturnType<typeof createProtectedCaller>) => caller.listAssignments({}) },
+    {
+      name: "getAssignmentById",
+      invoke: (caller: ReturnType<typeof createProtectedCaller>) => caller.getAssignmentById({ id: "assignment_1" }),
+    },
+    {
+      name: "resolveAssignment",
+      invoke: (caller: ReturnType<typeof createProtectedCaller>) => caller.resolveAssignment({ assignmentId: "assignment_1" }),
+    },
+    {
+      name: "getDemandRequirementById",
+      invoke: (caller: ReturnType<typeof createProtectedCaller>) => caller.getDemandRequirementById({ id: "demand_1" }),
+    },
+    {
+      name: "checkResourceAvailability",
+      invoke: (caller: ReturnType<typeof createProtectedCaller>) => caller.checkResourceAvailability(planningWindow),
+    },
+    {
+      name: "getResourceAvailabilityView",
+      invoke: (caller: ReturnType<typeof createProtectedCaller>) => caller.getResourceAvailabilityView(planningWindow),
+    },
+    {
+      name: "getResourceAvailabilitySummary",
+      invoke: (caller: ReturnType<typeof createProtectedCaller>) => caller.getResourceAvailabilitySummary(planningWindow),
+    },
+  ])("requires planning read access for $name", async ({ invoke }) => {
+    const caller = createProtectedCaller({});
+
+    await expect(invoke(caller)).rejects.toMatchObject({
+      code: "FORBIDDEN",
+      message: "Planning read access required",
+    });
+  });
+});
+
 function createDemandWorkflowDb(overrides: Record<string, unknown> = {}) {
  const db = {
    project: {
@@ -43,7 +43,7 @@ import {
  countEffectiveWorkingDays,
  loadResourceDailyAvailabilityContexts,
 } from "../lib/resource-capacity.js";
-import { createTRPCRouter, managerProcedure, protectedProcedure, requirePermission } from "../trpc.js";
+import { createTRPCRouter, managerProcedure, planningReadProcedure, requirePermission } from "../trpc.js";
 import { PROJECT_BRIEF_SELECT, RESOURCE_BRIEF_SELECT, ROLE_BRIEF_SELECT } from "../db/selects.js";

 const DEMAND_INCLUDE = {
@@ -658,7 +658,7 @@ function buildResourceAvailabilitySummary(
 }

 export const allocationRouter = createTRPCRouter({
-  list: protectedProcedure
+  list: planningReadProcedure
    .input(
      z.object({
        projectId: z.string().optional(),
@@ -671,7 +671,7 @@ export const allocationRouter = createTRPCRouter({
      return readModel.allocations;
    }),

-  listView: protectedProcedure
+  listView: planningReadProcedure
    .input(
      z.object({
        projectId: z.string().optional(),
@@ -746,7 +746,7 @@ export const allocationRouter = createTRPCRouter({
      return allocation;
    }),

-  listDemands: protectedProcedure
+  listDemands: planningReadProcedure
    .input(
      z.object({
        projectId: z.string().optional(),
@@ -774,7 +774,7 @@ export const allocationRouter = createTRPCRouter({
      }));
    }),

-  listAssignments: protectedProcedure
+  listAssignments: planningReadProcedure
    .input(
      z.object({
        projectId: z.string().optional(),
@@ -801,7 +801,7 @@ export const allocationRouter = createTRPCRouter({
      );
    }),

-  getAssignmentById: protectedProcedure
+  getAssignmentById: planningReadProcedure
    .input(z.object({ id: z.string() }))
    .query(async ({ ctx, input }) => {
      const assignment = await findUniqueOrThrow(
@@ -821,7 +821,7 @@ export const allocationRouter = createTRPCRouter({
      };
    }),

-  resolveAssignment: protectedProcedure
+  resolveAssignment: planningReadProcedure
    .input(z.object({
      assignmentId: z.string().optional(),
      resourceId: z.string().optional(),
@@ -833,7 +833,7 @@ export const allocationRouter = createTRPCRouter({
    }))
    .query(async ({ ctx, input }) => resolveAssignmentBySelection(ctx.db, input)),

-  getDemandRequirementById: protectedProcedure
+  getDemandRequirementById: planningReadProcedure
    .input(z.object({ id: z.string() }))
    .query(async ({ ctx, input }) => getDemandRequirementByIdOrThrow(ctx.db, input.id)),

@@ -841,7 +841,7 @@ export const allocationRouter = createTRPCRouter({
   * Check a resource's availability for a date range.
   * Returns working days, existing allocations, conflict days, and available capacity.
   */
-  checkResourceAvailability: protectedProcedure
+  checkResourceAvailability: planningReadProcedure
    .input(z.object({
      resourceId: z.string(),
      startDate: z.coerce.date(),
@@ -853,7 +853,7 @@ export const allocationRouter = createTRPCRouter({
      return availability;
    }),

-  getResourceAvailabilityView: protectedProcedure
+  getResourceAvailabilityView: planningReadProcedure
    .input(z.object({
      resourceId: z.string(),
      startDate: z.coerce.date(),
@@ -862,7 +862,7 @@ export const allocationRouter = createTRPCRouter({
    }))
    .query(async ({ ctx, input }) => buildResourceAvailabilityView(ctx.db, input)),

-  getResourceAvailabilitySummary: protectedProcedure
+  getResourceAvailabilitySummary: planningReadProcedure
    .input(z.object({
      resourceId: z.string(),
      startDate: z.coerce.date(),