Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat(client): scope planning reads to explicit audience

Browse Source
This commit is contained in:
Hartmut Nörenberg
2026-03-30 10:24:52 +02:00
parent 2b514ea962
commit ae74700f7c
5 changed files with 206 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/api/src/__tests__/master-data-router-auth.test.ts
+179
View File
@@ -1,5 +1,6 @@
import { PermissionKey, SystemRole } from "@capakraken/shared";
import { describe, expect, it, vi } from "vitest";
import { clientRouter } from "../router/client.js";
import { countryRouter } from "../router/country.js";
import { orgUnitRouter } from "../router/org-unit.js";
import { createCallerFactory } from "../trpc.js";
@@ -327,4 +328,182 @@ describe("master-data router authorization", () => {
orderBy: [{ sortOrder: "asc" }, { name: "asc" }],
});
});
it("keeps minimal client lookups available to authenticated users", async () => {
const findUnique = vi.fn()
.mockResolvedValueOnce(null)
.mockResolvedValueOnce({
id: "client_1",
name: "Acme Studios",
code: "ACME",
parentId: null,
isActive: true,
});
const caller = createCallerFactory(clientRouter)(createProtectedContext({
client: {
findUnique,
findFirst: vi.fn(),
},
}));
const result = await caller.resolveByIdentifier({ identifier: "ACME" });
expect(result).toEqual({
id: "client_1",
name: "Acme Studios",
code: "ACME",
parentId: null,
isActive: true,
});
});
it("requires planning read access for client list and tree reads", async () => {
const findMany = vi.fn();
const caller = createCallerFactory(clientRouter)(createProtectedContext({
client: {
findMany,
},
}));
await expect(caller.list({ isActive: true })).rejects.toMatchObject({
code: "FORBIDDEN",
message: "Planning read access required",
});
await expect(caller.getTree({ isActive: true })).rejects.toMatchObject({
code: "FORBIDDEN",
message: "Planning read access required",
});
expect(findMany).not.toHaveBeenCalled();
});
it("requires planning read access for detailed client reads with project counts", async () => {
const caller = createCallerFactory(clientRouter)(createProtectedContext({
client: {
findFirst: vi.fn(),
findUnique: vi.fn(),
},
}));
await expect(caller.getByIdentifier({ identifier: "Acme" })).rejects.toMatchObject({
code: "FORBIDDEN",
message: "Planning read access required",
});
await expect(caller.getById({ id: "client_1" })).rejects.toMatchObject({
code: "FORBIDDEN",
message: "Planning read access required",
});
});
it("allows client list, tree, and detail reads for users with planning access", async () => {
const listFindMany = vi.fn().mockResolvedValue([
{
id: "client_1",
name: "Acme Studios",
code: "ACME",
parentId: null,
isActive: true,
sortOrder: 10,
tags: ["enterprise"],
createdAt: new Date("2026-03-01T00:00:00.000Z"),
updatedAt: new Date("2026-03-01T00:00:00.000Z"),
_count: { children: 1, projects: 4 },
},
]);
const treeFindMany = vi.fn().mockResolvedValue([
{
id: "client_1",
name: "Acme Studios",
code: "ACME",
parentId: null,
isActive: true,
sortOrder: 10,
tags: ["enterprise"],
createdAt: new Date("2026-03-01T00:00:00.000Z"),
updatedAt: new Date("2026-03-01T00:00:00.000Z"),
},
]);
const getByIdFindUnique = vi.fn()
.mockResolvedValueOnce({
id: "client_1",
name: "Acme Studios",
code: "ACME",
parentId: null,
isActive: true,
sortOrder: 10,
tags: ["enterprise"],
createdAt: new Date("2026-03-01T00:00:00.000Z"),
updatedAt: new Date("2026-03-01T00:00:00.000Z"),
parent: null,
children: [],
_count: { children: 1, projects: 4 },
})
.mockResolvedValueOnce(null);
const getByIdentifierFindFirst = vi.fn().mockResolvedValue({
id: "client_1",
name: "Acme Studios",
code: "ACME",
parentId: null,
isActive: true,
sortOrder: 10,
tags: ["enterprise"],
createdAt: new Date("2026-03-01T00:00:00.000Z"),
updatedAt: new Date("2026-03-01T00:00:00.000Z"),
_count: { children: 1, projects: 4 },
});
const caller = createCallerFactory(clientRouter)(createProtectedContext({
client: {
findMany: vi.fn()
.mockImplementationOnce(listFindMany)
.mockImplementationOnce(treeFindMany),
findUnique: getByIdFindUnique,
findFirst: getByIdentifierFindFirst,
},
}, {
granted: [PermissionKey.VIEW_PLANNING],
}));
const listResult = await caller.list({ isActive: true, search: "Acme" });
const treeResult = await caller.getTree({ isActive: true });
const byIdResult = await caller.getById({ id: "client_1" });
const byIdentifierResult = await caller.getByIdentifier({ identifier: "Acme Studios" });
expect(listResult).toHaveLength(1);
expect(treeResult).toEqual([
expect.objectContaining({
id: "client_1",
name: "Acme Studios",
children: [],
}),
]);
expect(byIdResult._count.projects).toBe(4);
expect(byIdentifierResult._count.projects).toBe(4);
expect(listFindMany).toHaveBeenCalledWith({
where: {
isActive: true,
OR: [
{ name: { contains: "Acme", mode: "insensitive" } },
{ code: { contains: "Acme", mode: "insensitive" } },
],
},
include: { _count: { select: { children: true, projects: true } } },
orderBy: [{ sortOrder: "asc" }, { name: "asc" }],
});
expect(treeFindMany).toHaveBeenCalledWith({
where: { isActive: true },
orderBy: [{ sortOrder: "asc" }, { name: "asc" }],
});
expect(getByIdFindUnique).toHaveBeenCalledWith({
where: { id: "client_1" },
include: {
parent: true,
children: { orderBy: { sortOrder: "asc" } },
_count: { select: { projects: true, children: true } },
},
});
expect(getByIdentifierFindFirst).toHaveBeenCalledWith(expect.objectContaining({
where: { name: { equals: "Acme Studios", mode: "insensitive" } },
include: { _count: { select: { projects: true, children: true } } },
}));
});
});