905c7d460b
* add test suite, mostly covers integration testing, tests are only backend side * workflow runs the correct script * workflow runs the correct script * workflow runs the correct script * unit tests incoming * Fix multer silent rejections and error handler info leak - Revert cb(null, false) to cb(new Error(...)) in auth.ts, collab.ts, and files.ts so invalid uploads return an error instead of silently dropping the file - Error handler in app.ts now always returns 500 / "Internal server error" instead of forwarding err.message to the client * Use statusCode consistently for multer errors and error handler - Error handler in app.ts reads err.statusCode to forward the correct HTTP status while keeping the response body generic
84 lines
2.8 KiB
TypeScript
84 lines
2.8 KiB
TypeScript
import { describe, it, expect, vi } from 'vitest';
|
|
|
|
// Mock database — permissions module queries app_settings at runtime
|
|
vi.mock('../../../src/db/database', () => ({
|
|
db: {
|
|
prepare: () => ({
|
|
all: () => [], // no custom permissions → fall back to defaults
|
|
run: vi.fn(),
|
|
}),
|
|
},
|
|
}));
|
|
|
|
import { checkPermission, getPermissionLevel, PERMISSION_ACTIONS } from '../../../src/services/permissions';
|
|
|
|
describe('permissions', () => {
|
|
describe('checkPermission — admin bypass', () => {
|
|
it('admin always passes regardless of permission level', () => {
|
|
for (const action of PERMISSION_ACTIONS) {
|
|
expect(checkPermission(action.key, 'admin', 1, 1, false)).toBe(true);
|
|
expect(checkPermission(action.key, 'admin', 99, 1, false)).toBe(true);
|
|
}
|
|
});
|
|
});
|
|
|
|
describe('checkPermission — everybody level', () => {
|
|
it('trip_create (everybody) allows any authenticated user', () => {
|
|
expect(checkPermission('trip_create', 'user', null, 42, false)).toBe(true);
|
|
});
|
|
});
|
|
|
|
describe('checkPermission — trip_owner level', () => {
|
|
const ownerId = 10;
|
|
const memberId = 20;
|
|
|
|
it('trip owner passes trip_owner check', () => {
|
|
expect(checkPermission('trip_delete', 'user', ownerId, ownerId, false)).toBe(true);
|
|
});
|
|
|
|
it('member fails trip_owner check', () => {
|
|
expect(checkPermission('trip_delete', 'user', ownerId, memberId, true)).toBe(false);
|
|
});
|
|
|
|
it('non-member non-owner fails trip_owner check', () => {
|
|
expect(checkPermission('trip_delete', 'user', ownerId, memberId, false)).toBe(false);
|
|
});
|
|
});
|
|
|
|
describe('checkPermission — trip_member level', () => {
|
|
const ownerId = 10;
|
|
const memberId = 20;
|
|
const outsiderId = 30;
|
|
|
|
it('trip owner passes trip_member check', () => {
|
|
expect(checkPermission('day_edit', 'user', ownerId, ownerId, false)).toBe(true);
|
|
});
|
|
|
|
it('trip member passes trip_member check', () => {
|
|
expect(checkPermission('day_edit', 'user', ownerId, memberId, true)).toBe(true);
|
|
});
|
|
|
|
it('outsider fails trip_member check', () => {
|
|
expect(checkPermission('day_edit', 'user', ownerId, outsiderId, false)).toBe(false);
|
|
});
|
|
});
|
|
|
|
describe('getPermissionLevel — defaults', () => {
|
|
it('returns default level for known actions (no DB overrides)', () => {
|
|
const defaults: Record<string, string> = {
|
|
trip_create: 'everybody',
|
|
trip_delete: 'trip_owner',
|
|
day_edit: 'trip_member',
|
|
budget_edit: 'trip_member',
|
|
};
|
|
for (const [key, expected] of Object.entries(defaults)) {
|
|
expect(getPermissionLevel(key)).toBe(expected);
|
|
}
|
|
});
|
|
|
|
it('returns trip_owner for unknown action key', () => {
|
|
expect(getPermissionLevel('nonexistent_action')).toBe('trip_owner');
|
|
});
|
|
});
|
|
});
|