import assert from 'node:assert/strict'; import test from 'node:test'; import AccessPolicy from '../src/services/access-policy.ts'; import type { CurrentUser, RoleRecord } from '../src/types/index.ts'; function userWithRole(id: string, appRole: RoleRecord): CurrentUser { return { id, app_role: appRole }; } void test('effective permissions combine role permissions and custom permissions', async () => { const user: CurrentUser = { id: 'user-1', app_role: { name: 'Tour Designer', permissions: [{ name: 'READ_PROJECTS' }], }, custom_permissions: [{ name: 'CREATE_SEARCH' }], }; assert.equal(await AccessPolicy.hasPermission(user, 'READ_PROJECTS'), true); assert.equal(await AccessPolicy.hasPermission(user, 'CREATE_SEARCH'), true); assert.equal(await AccessPolicy.hasPermission(user, 'DELETE_USERS'), false); }); void test('public users cannot use admin api even if stale permissions exist', async () => { const user: CurrentUser = { id: 'public-1', app_role: { name: 'Public', permissions: [{ name: 'READ_PROJECTS' }], }, custom_permissions: [{ name: 'CREATE_SEARCH' }], }; assert.equal(AccessPolicy.isPublicUser(user), true); assert.equal(await AccessPolicy.hasPermission(user, 'READ_PROJECTS'), false); assert.equal(AccessPolicy.canUseAdminApi(user), false); }); void test('public role permissions are ignored for fallback permission checks', async () => { const permissions = await AccessPolicy.getRolePermissionNames({ name: 'Public', permissions: [{ name: 'READ_PROJECTS' }], }); assert.equal(permissions?.size, 0); }); void test('internal users with permissions can use admin api', () => { const user: CurrentUser = { id: 'staff-1', app_role: { name: 'Content Reviewer', permissions: [{ name: 'READ_PROJECTS' }], }, custom_permissions: [], }; assert.equal(AccessPolicy.isInternalUser(user), true); assert.equal(AccessPolicy.canUseAdminApi(user), true); }); void test('platform-wide roles are explicit', () => { assert.equal( AccessPolicy.isPlatformWideRole(userWithRole('admin-1', { name: 'Administrator' })), true, ); assert.equal( AccessPolicy.isPlatformWideRole(userWithRole('designer-1', { name: 'Tour Designer' })), false, ); });