74 lines
2.3 KiB
TypeScript
74 lines
2.3 KiB
TypeScript
import assert from 'node:assert/strict';
|
|
import test from 'node:test';
|
|
|
|
import AccessPolicy from '../src/services/access-policy.ts';
|
|
import type { CurrentUser, RoleRecord } from '../src/types/index.ts';
|
|
|
|
function userWithRole(id: string, appRole: RoleRecord): CurrentUser {
|
|
return { id, app_role: appRole };
|
|
}
|
|
|
|
void test('effective permissions combine role permissions and custom permissions', async () => {
|
|
const user: CurrentUser = {
|
|
id: 'user-1',
|
|
app_role: {
|
|
name: 'Tour Designer',
|
|
permissions: [{ name: 'READ_PROJECTS' }],
|
|
},
|
|
custom_permissions: [{ name: 'CREATE_SEARCH' }],
|
|
};
|
|
|
|
assert.equal(await AccessPolicy.hasPermission(user, 'READ_PROJECTS'), true);
|
|
assert.equal(await AccessPolicy.hasPermission(user, 'CREATE_SEARCH'), true);
|
|
assert.equal(await AccessPolicy.hasPermission(user, 'DELETE_USERS'), false);
|
|
});
|
|
|
|
void test('public users cannot use admin api even if stale permissions exist', async () => {
|
|
const user: CurrentUser = {
|
|
id: 'public-1',
|
|
app_role: {
|
|
name: 'Public',
|
|
permissions: [{ name: 'READ_PROJECTS' }],
|
|
},
|
|
custom_permissions: [{ name: 'CREATE_SEARCH' }],
|
|
};
|
|
|
|
assert.equal(AccessPolicy.isPublicUser(user), true);
|
|
assert.equal(await AccessPolicy.hasPermission(user, 'READ_PROJECTS'), false);
|
|
assert.equal(AccessPolicy.canUseAdminApi(user), false);
|
|
});
|
|
|
|
void test('public role permissions are ignored for fallback permission checks', async () => {
|
|
const permissions = await AccessPolicy.getRolePermissionNames({
|
|
name: 'Public',
|
|
permissions: [{ name: 'READ_PROJECTS' }],
|
|
});
|
|
|
|
assert.equal(permissions?.size, 0);
|
|
});
|
|
|
|
void test('internal users with permissions can use admin api', () => {
|
|
const user: CurrentUser = {
|
|
id: 'staff-1',
|
|
app_role: {
|
|
name: 'Content Reviewer',
|
|
permissions: [{ name: 'READ_PROJECTS' }],
|
|
},
|
|
custom_permissions: [],
|
|
};
|
|
|
|
assert.equal(AccessPolicy.isInternalUser(user), true);
|
|
assert.equal(AccessPolicy.canUseAdminApi(user), true);
|
|
});
|
|
|
|
void test('platform-wide roles are explicit', () => {
|
|
assert.equal(
|
|
AccessPolicy.isPlatformWideRole(userWithRole('admin-1', { name: 'Administrator' })),
|
|
true,
|
|
);
|
|
assert.equal(
|
|
AccessPolicy.isPlatformWideRole(userWithRole('designer-1', { name: 'Tour Designer' })),
|
|
false,
|
|
);
|
|
});
|