73 lines
2.0 KiB
JavaScript
73 lines
2.0 KiB
JavaScript
const assert = require('node:assert/strict');
|
|
const test = require('node:test');
|
|
|
|
const AccessPolicy = require('../src/services/access-policy');
|
|
|
|
test('effective permissions combine role permissions and custom permissions', async () => {
|
|
const user = {
|
|
id: 'user-1',
|
|
app_role: {
|
|
name: 'Tour Designer',
|
|
permissions: [{ name: 'READ_PROJECTS' }],
|
|
},
|
|
custom_permissions: [{ name: 'CREATE_SEARCH' }],
|
|
};
|
|
|
|
assert.equal(await AccessPolicy.hasPermission(user, 'READ_PROJECTS'), true);
|
|
assert.equal(await AccessPolicy.hasPermission(user, 'CREATE_SEARCH'), true);
|
|
assert.equal(await AccessPolicy.hasPermission(user, 'DELETE_USERS'), false);
|
|
});
|
|
|
|
test('public users cannot use admin api even if stale permissions exist', async () => {
|
|
const user = {
|
|
id: 'public-1',
|
|
app_role: {
|
|
name: 'Public',
|
|
permissions: [{ name: 'READ_PROJECTS' }],
|
|
},
|
|
custom_permissions: [{ name: 'CREATE_SEARCH' }],
|
|
};
|
|
|
|
assert.equal(AccessPolicy.isPublicUser(user), true);
|
|
assert.equal(await AccessPolicy.hasPermission(user, 'READ_PROJECTS'), false);
|
|
assert.equal(AccessPolicy.canUseAdminApi(user), false);
|
|
});
|
|
|
|
test('public role permissions are ignored for fallback permission checks', async () => {
|
|
const permissions = await AccessPolicy.getRolePermissionNames({
|
|
name: 'Public',
|
|
permissions: [{ name: 'READ_PROJECTS' }],
|
|
});
|
|
|
|
assert.equal(permissions.size, 0);
|
|
});
|
|
|
|
test('internal users with permissions can use admin api', () => {
|
|
const user = {
|
|
id: 'staff-1',
|
|
app_role: {
|
|
name: 'Content Reviewer',
|
|
permissions: [{ name: 'READ_PROJECTS' }],
|
|
},
|
|
custom_permissions: [],
|
|
};
|
|
|
|
assert.equal(AccessPolicy.isInternalUser(user), true);
|
|
assert.equal(AccessPolicy.canUseAdminApi(user), true);
|
|
});
|
|
|
|
test('platform-wide roles are explicit', () => {
|
|
assert.equal(
|
|
AccessPolicy.isPlatformWideRole({
|
|
app_role: { name: 'Administrator' },
|
|
}),
|
|
true,
|
|
);
|
|
assert.equal(
|
|
AccessPolicy.isPlatformWideRole({
|
|
app_role: { name: 'Tour Designer' },
|
|
}),
|
|
false,
|
|
);
|
|
});
|