import assert from 'node:assert/strict'; import test from 'node:test'; import { createRequest, createResponse } from 'node-mocks-http'; import { checkCrudPermissions, getCrudPermissionName, } from '../src/middlewares/check-permissions.ts'; import { setCurrentUser, setRuntimePublicRequest, } from '../src/utils/request-context.ts'; void test('getCrudPermissionName honors explicit permission override', () => { assert.equal( getCrudPermissionName( 'DELETE', 'page_elements', 'UPDATE_PAGE_ELEMENTS', ), 'UPDATE_PAGE_ELEMENTS', ); }); void test('getCrudPermissionName keeps default method-derived permission without override', () => { assert.equal( getCrudPermissionName('DELETE', 'page_elements'), 'DELETE_PAGE_ELEMENTS', ); }); void test('checkCrudPermissions allows users to read their own user route without broad READ_USERS permission', async () => { const req = createRequest({ method: 'GET', url: '/user-1', params: { id: 'user-1' }, }); const res = createResponse(); setCurrentUser(req, { id: 'user-1', app_role: { name: 'Public', permissions: [], }, }); const error = await new Promise((resolve) => { checkCrudPermissions('users')(req, res, (nextError?: unknown) => { resolve(nextError instanceof Error ? nextError : null); }); }); assert.equal(error, null); }); void test('checkCrudPermissions allows runtime public reads for presentation entities', async () => { const req = createRequest({ method: 'GET', url: '/', }); const res = createResponse(); setRuntimePublicRequest(req, true); const error = await new Promise((resolve) => { checkCrudPermissions('tour_pages')(req, res, (nextError?: unknown) => { resolve(nextError instanceof Error ? nextError : null); }); }); assert.equal(error, null); });