Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
019702c043b908203370d3bdb08bcf5e66b2e9a5
CapaKraken/apps/web/e2e/dev-system/rbac-permissions.spec.ts
T
Hartmut 8429bd86d4 test(e2e): fix dev-system test suite — storageState + strict-mode + signout 
Fixes 8 failures from the first test run:

1. Rate limiter exhaustion (5/8 failures)
   Admin was logged in 9× across the suite, hitting the 5/15min auth
   limit. Fix: global-setup.ts logs in once per role and saves storage
   state; all non-login tests use storageState so they skip the form.
   Total admin logins per suite run: 3 (global setup + 2 explicit tests).

2. Strict-mode violations (2/8 failures)
   toBeVisible() matched 3 email cells / 2 permission-error nodes.
   Fix: .first() on both locators.

3. Auth.js v5 signout confirmation page (1/8 failures)
   GET /auth/signout renders a confirm form rather than immediately
   redirecting. Fix: signOut() helper clicks the submit button.

Note: running the suite right after a previous run may fail if the
in-memory rate limit hasn't reset (15-min window). Restart the dev
server, or add E2E_TEST_MODE=true to apps/web/.env.local to bypass.

Co-Authored-By: claude-flow <ruv@ruv.net>
2026-04-01 19:09:49 +02:00

172 lines
6.3 KiB
TypeScript
Raw Blame History

/**
* RBAC / permissions tests — dev system
*
* Validates that role-based access control is enforced correctly
* against the running dev server with real seed data.
*
* All tests reuse pre-authenticated storage states from global setup
* so they don't trigger the auth rate limiter.
*
* Role hierarchy:
* ADMIN — full access including all /admin/* routes
* MANAGER — can view allocations, cannot access /admin/users etc.
* VIEWER — limited read-only; allocations are forbidden (TRPC FORBIDDEN)
*/
import { expect, test } from "@playwright/test";
import { STORAGE_STATE } from "../../playwright.dev.config.js";
// ---------------------------------------------------------------------------
// Admin routes — admin session
// ---------------------------------------------------------------------------
test.describe("RBAC — admin routes (admin session)", () => {
test.use({ storageState: STORAGE_STATE.admin });
test("admin can access /admin/users and sees user rows", async ({ page }) => {
await page.goto("/admin/users");
await page.waitForLoadState("networkidle");
await expect(page.locator("table")).toBeVisible({ timeout: 10000 });
// Seed users have planarchy.dev or capakraken.dev email domains
await expect(
page.locator("text=/planarchy\\.dev|capakraken\\.dev/").first(),
).toBeVisible({ timeout: 10000 });
});
test("admin can access /admin/system-roles without errors", async ({ page }) => {
await page.goto("/admin/system-roles");
await page.waitForLoadState("networkidle");
await expect(page.locator("h1,h2").first()).toBeVisible({ timeout: 10000 });
});
test("admin can access /admin/blueprints without errors", async ({ page }) => {
await page.goto("/admin/blueprints");
await page.waitForLoadState("networkidle");
await expect(page.locator("h1,h2,h3").first()).toBeVisible({ timeout: 10000 });
});
});
// ---------------------------------------------------------------------------
// Admin routes — non-admin sessions should be blocked
// ---------------------------------------------------------------------------
test.describe("RBAC — /admin/users blocked for manager", () => {
test.use({ storageState: STORAGE_STATE.manager });
test("manager is redirected or sees an error on /admin/users", async ({ page }) => {
await page.goto("/admin/users");
await page.waitForLoadState("networkidle");
const isRedirected = !page.url().includes("/admin/users");
const hasForbiddenText = await page
.locator("text=/forbidden|permission|access denied|not authorized|unauthorized/i")
.first()
.isVisible()
.catch(() => false);
expect(isRedirected || hasForbiddenText).toBe(true);
});
});
test.describe("RBAC — /admin/users blocked for viewer", () => {
test.use({ storageState: STORAGE_STATE.viewer });
test("viewer is redirected or sees an error on /admin/users", async ({ page }) => {
await page.goto("/admin/users");
await page.waitForLoadState("networkidle");
const isRedirected = !page.url().includes("/admin/users");
const hasForbiddenText = await page
.locator("text=/forbidden|permission|access denied|not authorized|unauthorized/i")
.first()
.isVisible()
.catch(() => false);
expect(isRedirected || hasForbiddenText).toBe(true);
});
});
// ---------------------------------------------------------------------------
// Allocations access by role
// ---------------------------------------------------------------------------
test.describe("RBAC — allocations permitted for admin", () => {
test.use({ storageState: STORAGE_STATE.admin });
test("admin can view /allocations without permission errors", async ({ page }) => {
await page.goto("/allocations");
await page.waitForLoadState("networkidle");
await expect(
page.locator("text=/do not have permission to view allocations/i"),
).toHaveCount(0, { timeout: 8000 });
});
});
test.describe("RBAC — allocations permitted for manager", () => {
test.use({ storageState: STORAGE_STATE.manager });
test("manager can view /allocations without permission errors", async ({ page }) => {
await page.goto("/allocations");
await page.waitForLoadState("networkidle");
await expect(
page.locator("text=/do not have permission to view allocations/i"),
).toHaveCount(0, { timeout: 8000 });
});
});
test.describe("RBAC — allocations forbidden for viewer", () => {
test.use({ storageState: STORAGE_STATE.viewer });
test("viewer sees a permission error on /allocations", async ({ page }) => {
await page.goto("/allocations");
await page.waitForLoadState("networkidle");
// AllocationsClient renders the message in both the page subtitle and the card body;
// use .first() to avoid strict-mode violation.
await expect(
page.locator("text=/permission|forbidden|not have permission/i").first(),
).toBeVisible({ timeout: 10000 });
});
});
// ---------------------------------------------------------------------------
// Dashboard loads for every role
// ---------------------------------------------------------------------------
test.describe("RBAC — dashboard (admin)", () => {
test.use({ storageState: STORAGE_STATE.admin });
test("admin dashboard loads without errors", async ({ page }) => {
await page.goto("/dashboard");
await page.waitForLoadState("networkidle");
await expect(page).not.toHaveURL(/\/auth\/signin/, { timeout: 5000 });
await expect(page.locator("text=/500|Internal Server Error/i")).toHaveCount(0);
});
});
test.describe("RBAC — dashboard (manager)", () => {
test.use({ storageState: STORAGE_STATE.manager });
test("manager dashboard loads without errors", async ({ page }) => {
await page.goto("/dashboard");
await page.waitForLoadState("networkidle");
await expect(page).not.toHaveURL(/\/auth\/signin/, { timeout: 5000 });
await expect(page.locator("text=/500|Internal Server Error/i")).toHaveCount(0);
});
});
test.describe("RBAC — dashboard (viewer)", () => {
test.use({ storageState: STORAGE_STATE.viewer });
test("viewer dashboard loads without errors", async ({ page }) => {
await page.goto("/dashboard");
await page.waitForLoadState("networkidle");
await expect(page).not.toHaveURL(/\/auth\/signin/, { timeout: 5000 });
await expect(page.locator("text=/500|Internal Server Error/i")).toHaveCount(0);
});
});
Reference in New Issue View Git Blame Copy Permalink