const assert = require('node:assert/strict'); const test = require('node:test'); const AccessPolicy = require('../src/services/access-policy'); test('effective permissions combine role permissions and custom permissions', async () => { const user = { id: 'user-1', app_role: { name: 'Tour Designer', permissions: [{ name: 'READ_PROJECTS' }], }, custom_permissions: [{ name: 'CREATE_SEARCH' }], }; assert.equal(await AccessPolicy.hasPermission(user, 'READ_PROJECTS'), true); assert.equal(await AccessPolicy.hasPermission(user, 'CREATE_SEARCH'), true); assert.equal(await AccessPolicy.hasPermission(user, 'DELETE_USERS'), false); }); test('public users cannot use admin api even if stale permissions exist', async () => { const user = { id: 'public-1', app_role: { name: 'Public', permissions: [{ name: 'READ_PROJECTS' }], }, custom_permissions: [{ name: 'CREATE_SEARCH' }], }; assert.equal(AccessPolicy.isPublicUser(user), true); assert.equal(await AccessPolicy.hasPermission(user, 'READ_PROJECTS'), false); assert.equal(AccessPolicy.canUseAdminApi(user), false); }); test('public role permissions are ignored for fallback permission checks', async () => { const permissions = await AccessPolicy.getRolePermissionNames({ name: 'Public', permissions: [{ name: 'READ_PROJECTS' }], }); assert.equal(permissions.size, 0); }); test('internal users with permissions can use admin api', () => { const user = { id: 'staff-1', app_role: { name: 'Content Reviewer', permissions: [{ name: 'READ_PROJECTS' }], }, custom_permissions: [], }; assert.equal(AccessPolicy.isInternalUser(user), true); assert.equal(AccessPolicy.canUseAdminApi(user), true); }); test('platform-wide roles are explicit', () => { assert.equal( AccessPolicy.isPlatformWideRole({ app_role: { name: 'Administrator' }, }), true, ); assert.equal( AccessPolicy.isPlatformWideRole({ app_role: { name: 'Tour Designer' }, }), false, ); });