test(api): cover shared resource access rules
This commit is contained in:
@@ -0,0 +1,102 @@
|
||||
import { TRPCError } from "@trpc/server";
|
||||
import { PermissionKey, SystemRole } from "@capakraken/shared";
|
||||
import { describe, expect, it, vi } from "vitest";
|
||||
import {
|
||||
assertCanReadResource,
|
||||
canReadAllResources,
|
||||
findOwnedResourceId,
|
||||
resolveResourcePermissions,
|
||||
} from "../lib/resource-access.js";
|
||||
|
||||
describe("resource access helpers", () => {
|
||||
it("returns no permissions without a db user", () => {
|
||||
expect(resolveResourcePermissions({ dbUser: null, roleDefaults: null })).toEqual(new Set());
|
||||
});
|
||||
|
||||
it("treats managers with resource permissions as staff readers", () => {
|
||||
const permissions = resolveResourcePermissions({
|
||||
dbUser: {
|
||||
systemRole: SystemRole.MANAGER,
|
||||
permissionOverrides: null,
|
||||
} as never,
|
||||
roleDefaults: null,
|
||||
});
|
||||
|
||||
expect(permissions.has(PermissionKey.VIEW_ALL_RESOURCES)).toBe(true);
|
||||
expect(canReadAllResources({
|
||||
dbUser: {
|
||||
systemRole: SystemRole.MANAGER,
|
||||
permissionOverrides: null,
|
||||
} as never,
|
||||
roleDefaults: null,
|
||||
})).toBe(true);
|
||||
});
|
||||
|
||||
it("returns null when no linked resource lookup is possible", async () => {
|
||||
await expect(findOwnedResourceId({
|
||||
dbUser: { id: "user_1" } as never,
|
||||
roleDefaults: null,
|
||||
db: {},
|
||||
})).resolves.toBeNull();
|
||||
});
|
||||
|
||||
it("returns the owned resource id when the lookup succeeds", async () => {
|
||||
const findFirst = vi.fn().mockResolvedValue({ id: "res_1" });
|
||||
|
||||
await expect(findOwnedResourceId({
|
||||
dbUser: { id: "user_1" } as never,
|
||||
roleDefaults: null,
|
||||
db: {
|
||||
resource: {
|
||||
findFirst,
|
||||
},
|
||||
} as never,
|
||||
})).resolves.toBe("res_1");
|
||||
|
||||
expect(findFirst).toHaveBeenCalledWith({
|
||||
where: { userId: "user_1" },
|
||||
select: { id: true },
|
||||
});
|
||||
});
|
||||
|
||||
it("allows staff readers to access arbitrary resources without ownership lookup", async () => {
|
||||
const findFirst = vi.fn();
|
||||
|
||||
await expect(assertCanReadResource({
|
||||
dbUser: {
|
||||
id: "mgr_1",
|
||||
systemRole: SystemRole.MANAGER,
|
||||
permissionOverrides: null,
|
||||
} as never,
|
||||
roleDefaults: null,
|
||||
db: {
|
||||
resource: {
|
||||
findFirst,
|
||||
},
|
||||
} as never,
|
||||
}, "res_1")).resolves.toBeUndefined();
|
||||
|
||||
expect(findFirst).not.toHaveBeenCalled();
|
||||
});
|
||||
|
||||
it("rejects non-owned resources for regular users", async () => {
|
||||
const findFirst = vi.fn().mockResolvedValue({ id: "res_own" });
|
||||
|
||||
await expect(assertCanReadResource({
|
||||
dbUser: {
|
||||
id: "user_1",
|
||||
systemRole: SystemRole.USER,
|
||||
permissionOverrides: null,
|
||||
} as never,
|
||||
roleDefaults: null,
|
||||
db: {
|
||||
resource: {
|
||||
findFirst,
|
||||
},
|
||||
} as never,
|
||||
}, "res_other", "custom message")).rejects.toEqual(expect.objectContaining<Partial<TRPCError>>({
|
||||
code: "FORBIDDEN",
|
||||
message: "custom message",
|
||||
}));
|
||||
});
|
||||
});
|
||||
Reference in New Issue
Block a user