const assert = require('node:assert/strict'); const test = require('node:test'); const RolesDBApi = require('../src/db/api/roles'); const AccessPolicy = require('../src/services/access-policy'); const originalFindBy = RolesDBApi.findBy; RolesDBApi.findBy = async () => ({ id: 'public-role', name: 'Public', permissions: [], }); const { checkCrudPermissions } = require('../src/middlewares/check-permissions'); test.after(() => { RolesDBApi.findBy = originalFindBy; }); test('checkCrudPermissions honors explicit permission override', async () => { const originalHasPermission = AccessPolicy.hasPermission; const seenPermissions = []; AccessPolicy.hasPermission = async (_user, permission) => { seenPermissions.push(permission); return permission === 'UPDATE_PAGE_ELEMENTS'; }; try { const req = { method: 'DELETE', path: '/project/project-id/env/dev', currentUser: { id: 'user-1' }, permissionNameOverride: 'UPDATE_PAGE_ELEMENTS', }; await new Promise((resolve, reject) => { checkCrudPermissions('page_elements')(req, {}, (error) => { if (error) reject(error); else resolve(); }); }); assert.deepEqual(seenPermissions, ['UPDATE_PAGE_ELEMENTS']); } finally { AccessPolicy.hasPermission = originalHasPermission; } }); test('checkCrudPermissions keeps default method-derived permission without override', async () => { const originalHasPermission = AccessPolicy.hasPermission; const seenPermissions = []; AccessPolicy.hasPermission = async (_user, permission) => { seenPermissions.push(permission); return permission === 'DELETE_PAGE_ELEMENTS'; }; try { const req = { method: 'DELETE', path: '/project/project-id/env/dev', currentUser: { id: 'user-1' }, }; await new Promise((resolve, reject) => { checkCrudPermissions('page_elements')(req, {}, (error) => { if (error) reject(error); else resolve(); }); }); assert.deepEqual(seenPermissions, ['DELETE_PAGE_ELEMENTS']); } finally { AccessPolicy.hasPermission = originalHasPermission; } });