39948-vm/backend/tests/access-policy.test.ts
2026-07-01 15:45:38 +02:00

74 lines
2.3 KiB
TypeScript

import assert from 'node:assert/strict';
import test from 'node:test';
import AccessPolicy from '../src/services/access-policy.ts';
import type { CurrentUser, RoleRecord } from '../src/types/index.ts';
function userWithRole(id: string, appRole: RoleRecord): CurrentUser {
return { id, app_role: appRole };
}
void test('effective permissions combine role permissions and custom permissions', async () => {
const user: CurrentUser = {
id: 'user-1',
app_role: {
name: 'Tour Designer',
permissions: [{ name: 'READ_PROJECTS' }],
},
custom_permissions: [{ name: 'CREATE_SEARCH' }],
};
assert.equal(await AccessPolicy.hasPermission(user, 'READ_PROJECTS'), true);
assert.equal(await AccessPolicy.hasPermission(user, 'CREATE_SEARCH'), true);
assert.equal(await AccessPolicy.hasPermission(user, 'DELETE_USERS'), false);
});
void test('public users cannot use admin api even if stale permissions exist', async () => {
const user: CurrentUser = {
id: 'public-1',
app_role: {
name: 'Public',
permissions: [{ name: 'READ_PROJECTS' }],
},
custom_permissions: [{ name: 'CREATE_SEARCH' }],
};
assert.equal(AccessPolicy.isPublicUser(user), true);
assert.equal(await AccessPolicy.hasPermission(user, 'READ_PROJECTS'), false);
assert.equal(AccessPolicy.canUseAdminApi(user), false);
});
void test('public role permissions are ignored for fallback permission checks', async () => {
const permissions = await AccessPolicy.getRolePermissionNames({
name: 'Public',
permissions: [{ name: 'READ_PROJECTS' }],
});
assert.equal(permissions?.size, 0);
});
void test('internal users with permissions can use admin api', () => {
const user: CurrentUser = {
id: 'staff-1',
app_role: {
name: 'Content Reviewer',
permissions: [{ name: 'READ_PROJECTS' }],
},
custom_permissions: [],
};
assert.equal(AccessPolicy.isInternalUser(user), true);
assert.equal(AccessPolicy.canUseAdminApi(user), true);
});
void test('platform-wide roles are explicit', () => {
assert.equal(
AccessPolicy.isPlatformWideRole(userWithRole('admin-1', { name: 'Administrator' })),
true,
);
assert.equal(
AccessPolicy.isPlatformWideRole(userWithRole('designer-1', { name: 'Tour Designer' })),
false,
);
});