import { SystemRole } from "@capakraken/shared"; import { describe, expect, it, vi } from "vitest"; import { systemRoleConfigRouter } from "../router/system-role-config.js"; import { createCallerFactory } from "../trpc.js"; const createCaller = createCallerFactory(systemRoleConfigRouter); function createAdminCaller(db: Record) { return createCaller({ session: { user: { email: "admin@example.com", name: "Admin", image: null }, expires: "2099-01-01T00:00:00.000Z", }, db: db as never, dbUser: { id: "admin_1", systemRole: SystemRole.ADMIN, permissionOverrides: null, }, }); } function createProtectedCaller(db: Record) { return createCaller({ session: { user: { email: "user@example.com", name: "User", image: null }, expires: "2099-01-01T00:00:00.000Z", }, db: db as never, dbUser: { id: "user_1", systemRole: SystemRole.USER, permissionOverrides: null, }, }); } describe("system role config router authorization", () => { it("requires admin access for listing role configs", async () => { const caller = createProtectedCaller({}); await expect(caller.list()).rejects.toThrow( expect.objectContaining({ code: "FORBIDDEN", message: "Admin role required", }), ); }); it("allows admins to list role configs", async () => { const db = { systemRoleConfig: { findMany: vi.fn().mockResolvedValue([ { role: SystemRole.ADMIN, label: "Admin", description: "System administrator", color: "#000000", sortOrder: 0, defaultPermissions: [], }, ]), }, }; const caller = createAdminCaller(db); const result = await caller.list(); expect(db.systemRoleConfig.findMany).toHaveBeenCalledWith({ orderBy: { sortOrder: "asc" }, }); expect(result).toEqual([ { role: SystemRole.ADMIN, label: "Admin", description: "System administrator", color: "#000000", sortOrder: 0, defaultPermissions: [], }, ]); }); });