Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat(auth): classify planning and resource read audiences

Browse Source
This commit is contained in:
Hartmut Nörenberg
2026-03-30 08:51:07 +02:00
parent f6daf21983
commit db45829eca
7 changed files with 154 additions and 138 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/api/src/__tests__/resource-router.test.ts
+22 -3
View File
@@ -780,7 +780,7 @@ describe("resource router", () => {
caller.listSummaries({ search: "Alice", limit: 10 }),
).rejects.toMatchObject({
code: "FORBIDDEN",
message: "You need resource overview access to search resource summaries",
message: "Resource overview access required",
});
expect(db.resource.findMany).not.toHaveBeenCalled();
});
@@ -980,7 +980,7 @@ describe("resource router", () => {
caller.listStaff({ limit: 10 }),
).rejects.toMatchObject({
code: "FORBIDDEN",
message: "You need resource overview access to list staff resource data",
message: "Resource overview access required",
});
expect(db.resource.findMany).not.toHaveBeenCalled();
expect(db.resource.count).not.toHaveBeenCalled();
@@ -1301,7 +1301,7 @@ describe("resource router", () => {
},
};
const caller = createProtectedCaller(db);
const caller = createProtectedCallerWithOverrides(db, { granted: [PermissionKey.VIEW_ALL_RESOURCES] });
const result = await caller.resolveResponsiblePersonName({ name: "Peter" });
expect(result).toEqual({
@@ -1310,6 +1310,25 @@ describe("resource router", () => {
});
});
it("rejects responsible-person resolution for regular users without resource overview access", async () => {
const db = {
resource: {
findFirst: vi.fn(),
findMany: vi.fn(),
},
};
const caller = createProtectedCaller(db);
await expect(
caller.resolveResponsiblePersonName({ name: "Peter" }),
).rejects.toMatchObject({
code: "FORBIDDEN",
message: "Resource overview access required",
});
expect(db.resource.findFirst).not.toHaveBeenCalled();
expect(db.resource.findMany).not.toHaveBeenCalled();
});
it("applies country filters on the staff list including explicit no-country toggle", async () => {
const db = {
resource: {