Hartmut/Nexus
1
0
Fork 0
Code Issues 11 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
01f8974314528cbacfbd2882a4152683732ad5b7
Nexus/apps/web/e2e/dev-system/rbac-permissions.spec.ts
T
Hartmut 01f8974314
CI / Architecture Guardrails (pull_request) Successful in 2m59s
Details
CI / Typecheck (pull_request) Successful in 6m41s
Details
CI / Lint (pull_request) Successful in 4m18s
Details
CI / Assistant Split Regression (pull_request) Successful in 5m6s
Details
CI / Unit Tests (pull_request) Successful in 7m21s
Details
CI / Build (pull_request) Successful in 5m21s
Details
CI / Fresh-Linux Docker Deploy (pull_request) Failing after 38s
Details
CI / E2E Tests (pull_request) Successful in 3m28s
Details
CI / Release Images (pull_request) Has been skipped
Details
rename(phase 3): compose/DB/infra names + stray code refs capakraken → nexus 
- docker-compose.yml / .prod.yml / .ci.yml: project names, POSTGRES_DB/USER,
  pg_isready, DATABASE_URL, volume names (nexus_pgdata, nexus_prod_*)
- .github/workflows/ci.yml: POSTGRES_PASSWORD, pg_isready, psql credentials,
  GRANT statements, POSTGRES_PASSWORD=nexus_dev for Docker Deploy job
- scripts/db-target-guard.mjs: expectedDatabase default, NEXUS_EXPECTED_DB_NAME
- scripts/prisma-with-env.mjs, e2e/test-server.mjs: env-var rename
- packages/db/src/safe-destructive-env.ts + reset-dispo-import.ts: DB name set
- packages/db/src/destructive-db-guard.ts: PROTECTED_DATABASE_NAMES → "nexus"
- packages/db/src/destructive-db-guard.test.ts: all fixture DB names + comments
- .env.example, tooling/deploy/deploy.env.example: DATABASE_URL, image refs
- packages/api: Redis channel/key prefixes (rbac-invalidate, sse, ratelimit),
  logger service name, app-base-url log prefix
- E2E: DB container names, localStorage/sessionStorage keys, email domains
- scripts: architecture-guardrails filter, export/import-dev-seed defaults,
  harden-postgres defaults, start.sh pg_isready, worktree-hygiene fixture
- tooling/migrate/rename-to-nexus.sh: new maintenance-window cutover script

Only intentional capakraken survivor: anonymization.ts DEFAULT_ANONYMIZATION_SEED
(functional cryptographic constant — changing it would invalidate stored aliases).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-21 16:35:39 +02:00

174 lines
6.3 KiB
TypeScript
Raw Blame History

/**
* RBAC / permissions tests — dev system
*
* Validates that role-based access control is enforced correctly
* against the running dev server with real seed data.
*
* All tests reuse pre-authenticated storage states from global setup
* so they don't trigger the auth rate limiter.
*
* Role hierarchy:
* ADMIN — full access including all /admin/* routes
* MANAGER — can view allocations, cannot access /admin/users etc.
* VIEWER — limited read-only; allocations are forbidden (TRPC FORBIDDEN)
*/
import { expect, test } from "@playwright/test";
import { STORAGE_STATE } from "../../playwright.dev.config.js";
// ---------------------------------------------------------------------------
// Admin routes — admin session
// ---------------------------------------------------------------------------
test.describe("RBAC — admin routes (admin session)", () => {
test.use({ storageState: STORAGE_STATE.admin });
test("admin can access /admin/users and sees user rows", async ({ page }) => {
await page.goto("/admin/users");
await page.waitForLoadState("networkidle");
await expect(page.locator("table")).toBeVisible({ timeout: 10000 });
// Seed users have planarchy.dev or nexus.dev email domains
await expect(page.locator("text=/planarchy\\.dev|nexus\\.dev/").first()).toBeVisible({
timeout: 10000,
});
});
test("admin can access /admin/system-roles without errors", async ({ page }) => {
await page.goto("/admin/system-roles");
await page.waitForLoadState("networkidle");
await expect(page.locator("h1,h2").first()).toBeVisible({ timeout: 10000 });
});
test("admin can access /admin/blueprints without errors", async ({ page }) => {
await page.goto("/admin/blueprints");
await page.waitForLoadState("networkidle");
await expect(page.locator("h1,h2,h3").first()).toBeVisible({ timeout: 10000 });
});
});
// ---------------------------------------------------------------------------
// Admin routes — non-admin sessions should be blocked
// ---------------------------------------------------------------------------
test.describe("RBAC — /admin/users blocked for manager", () => {
test.use({ storageState: STORAGE_STATE.manager });
test("manager is redirected or sees an error on /admin/users", async ({ page }) => {
await page.goto("/admin/users");
await page.waitForLoadState("networkidle");
const isRedirected = !page.url().includes("/admin/users");
const hasForbiddenText = await page
.locator("text=/forbidden|permission|access denied|not authorized|unauthorized/i")
.first()
.isVisible()
.catch(() => false);
expect(isRedirected || hasForbiddenText).toBe(true);
});
});
test.describe("RBAC — /admin/users blocked for viewer", () => {
test.use({ storageState: STORAGE_STATE.viewer });
test("viewer is redirected or sees an error on /admin/users", async ({ page }) => {
await page.goto("/admin/users");
await page.waitForLoadState("networkidle");
const isRedirected = !page.url().includes("/admin/users");
const hasForbiddenText = await page
.locator("text=/forbidden|permission|access denied|not authorized|unauthorized/i")
.first()
.isVisible()
.catch(() => false);
expect(isRedirected || hasForbiddenText).toBe(true);
});
});
// ---------------------------------------------------------------------------
// Allocations access by role
// ---------------------------------------------------------------------------
test.describe("RBAC — allocations permitted for admin", () => {
test.use({ storageState: STORAGE_STATE.admin });
test("admin can view /allocations without permission errors", async ({ page }) => {
await page.goto("/allocations");
await page.waitForLoadState("networkidle");
await expect(page.locator("text=/do not have permission to view allocations/i")).toHaveCount(
0,
{ timeout: 8000 },
);
});
});
test.describe("RBAC — allocations permitted for manager", () => {
test.use({ storageState: STORAGE_STATE.manager });
test("manager can view /allocations without permission errors", async ({ page }) => {
await page.goto("/allocations");
await page.waitForLoadState("networkidle");
await expect(page.locator("text=/do not have permission to view allocations/i")).toHaveCount(
0,
{ timeout: 8000 },
);
});
});
test.describe("RBAC — allocations forbidden for viewer", () => {
test.use({ storageState: STORAGE_STATE.viewer });
test("viewer sees a permission error on /allocations", async ({ page }) => {
await page.goto("/allocations");
await page.waitForLoadState("networkidle");
// AllocationsClient renders the message in both the page subtitle and the card body;
// use .first() to avoid strict-mode violation.
await expect(
page.locator("text=/permission|forbidden|not have permission/i").first(),
).toBeVisible({ timeout: 10000 });
});
});
// ---------------------------------------------------------------------------
// Dashboard loads for every role
// ---------------------------------------------------------------------------
test.describe("RBAC — dashboard (admin)", () => {
test.use({ storageState: STORAGE_STATE.admin });
test("admin dashboard loads without errors", async ({ page }) => {
await page.goto("/dashboard");
await page.waitForLoadState("networkidle");
await expect(page).not.toHaveURL(/\/auth\/signin/, { timeout: 5000 });
await expect(page.locator("text=/500|Internal Server Error/i")).toHaveCount(0);
});
});
test.describe("RBAC — dashboard (manager)", () => {
test.use({ storageState: STORAGE_STATE.manager });
test("manager dashboard loads without errors", async ({ page }) => {
await page.goto("/dashboard");
await page.waitForLoadState("networkidle");
await expect(page).not.toHaveURL(/\/auth\/signin/, { timeout: 5000 });
await expect(page.locator("text=/500|Internal Server Error/i")).toHaveCount(0);
});
});
test.describe("RBAC — dashboard (viewer)", () => {
test.use({ storageState: STORAGE_STATE.viewer });
test("viewer dashboard loads without errors", async ({ page }) => {
await page.goto("/dashboard");
await page.waitForLoadState("networkidle");
await expect(page).not.toHaveURL(/\/auth\/signin/, { timeout: 5000 });
await expect(page.locator("text=/500|Internal Server Error/i")).toHaveCount(0);
});
});
Reference in New Issue View Git Blame Copy Permalink