39948-vm/backend/tests/check-permissions.test.ts
2026-07-02 14:22:33 +02:00

72 lines
1.9 KiB
TypeScript

import assert from 'node:assert/strict';
import test from 'node:test';
import { createRequest, createResponse } from 'node-mocks-http';
import {
checkCrudPermissions,
getCrudPermissionName,
} from '../src/middlewares/check-permissions.ts';
import {
setCurrentUser,
setRuntimePublicRequest,
} from '../src/utils/request-context.ts';
void test('getCrudPermissionName honors explicit permission override', () => {
assert.equal(
getCrudPermissionName(
'DELETE',
'page_elements',
'UPDATE_PAGE_ELEMENTS',
),
'UPDATE_PAGE_ELEMENTS',
);
});
void test('getCrudPermissionName keeps default method-derived permission without override', () => {
assert.equal(
getCrudPermissionName('DELETE', 'page_elements'),
'DELETE_PAGE_ELEMENTS',
);
});
void test('checkCrudPermissions allows users to read their own user route without broad READ_USERS permission', async () => {
const req = createRequest({
method: 'GET',
url: '/user-1',
params: { id: 'user-1' },
});
const res = createResponse();
setCurrentUser(req, {
id: 'user-1',
app_role: {
name: 'Public',
permissions: [],
},
});
const error = await new Promise<Error | null>((resolve) => {
checkCrudPermissions('users')(req, res, (nextError?: unknown) => {
resolve(nextError instanceof Error ? nextError : null);
});
});
assert.equal(error, null);
});
void test('checkCrudPermissions allows runtime public reads for presentation entities', async () => {
const req = createRequest({
method: 'GET',
url: '/',
});
const res = createResponse();
setRuntimePublicRequest(req, true);
const error = await new Promise<Error | null>((resolve) => {
checkCrudPermissions('tour_pages')(req, res, (nextError?: unknown) => {
resolve(nextError instanceof Error ? nextError : null);
});
});
assert.equal(error, null);
});