letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat(permissions): add yacht, company, membership, reservation keys

Browse Source
This commit is contained in:
Matt Ciaccio
2026-04-24 12:30:06 +02:00
parent b053a6388e
commit f743169354
4 changed files with 414 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
tests/helpers/factories.ts
View File

@@ -224,6 +224,10 @@ export function makeFullPermissions(): RolePermissions {
calendar: { connect: true, view_events: true },
reports: { view_dashboard: true, view_analytics: true, export: true },
document_templates: { view: true, generate: true, manage: true },
yachts: { view: true, create: true, edit: true, delete: true, transfer: true },
companies: { view: true, create: true, edit: true, delete: true },
memberships: { view: true, manage: true },
reservations: { view: true, create: true, activate: true, cancel: true },
admin: {
manage_users: true,
view_audit_log: true,
@@ -289,6 +293,10 @@ export function makeViewerPermissions(): RolePermissions {
calendar: { connect: false, view_events: true },
reports: { view_dashboard: true, view_analytics: false, export: false },
document_templates: { view: true, generate: false, manage: false },
yachts: { view: true, create: false, edit: false, delete: false, transfer: false },
companies: { view: true, create: false, edit: false, delete: false },
memberships: { view: true, manage: false },
reservations: { view: true, create: false, activate: false, cancel: false },
admin: {
manage_users: false,
view_audit_log: false,
@@ -354,6 +362,10 @@ export function makeSalesAgentPermissions(): RolePermissions {
calendar: { connect: true, view_events: true },
reports: { view_dashboard: true, view_analytics: false, export: false },
document_templates: { view: true, generate: true, manage: false },
yachts: { view: true, create: true, edit: true, delete: false, transfer: false },
companies: { view: true, create: true, edit: false, delete: false },
memberships: { view: true, manage: false },
reservations: { view: true, create: true, activate: true, cancel: false },
admin: {
manage_users: false,
view_audit_log: false,
@@ -419,6 +431,10 @@ export function makeSalesManagerPermissions(): RolePermissions {
calendar: { connect: true, view_events: true },
reports: { view_dashboard: true, view_analytics: true, export: true },
document_templates: { view: true, generate: true, manage: false },
yachts: { view: true, create: true, edit: true, delete: false, transfer: true },
companies: { view: true, create: true, edit: true, delete: false },
memberships: { view: true, manage: true },
reservations: { view: true, create: true, activate: true, cancel: true },
admin: {
manage_users: false,
view_audit_log: true,

75
tests/integration/permission-matrix.test.ts
View File

@@ -16,7 +16,6 @@ import { describe, it, expect, vi } from 'vitest';
import { withPermission, deepMerge, type AuthContext } from '@/lib/api/helpers';
import {
makeFullPermissions,
makeViewerPermissions,
makeSalesAgentPermissions,
makeSalesManagerPermissions,
@@ -237,7 +236,9 @@ describe('deepMerge — permission override merging', () => {
it('override with full-permission block gives full access', () => {
const base = makeViewerPermissions() as Record<string, unknown>;
const override = { clients: { create: true, edit: true, delete: true, merge: true, export: true } };
const override = {
clients: { create: true, edit: true, delete: true, merge: true, export: true },
};
const result = deepMerge(base, override) as RolePermissions;
expect(result.clients.create).toBe(true);
expect(result.clients.view).toBe(true); // preserved from base
@@ -250,3 +251,73 @@ describe('deepMerge — permission override merging', () => {
expect(result.events).toEqual(['c']);
});
});
// ─── new resources (yachts, companies, memberships, reservations) ────────────
describe('new resources (yachts, companies, memberships, reservations)', () => {
it('super_admin bypasses all new resource permissions', async () => {
const ctx = makeCtx({ isSuperAdmin: true, permissions: null });
const handler = vi.fn(okHandler());
const wrapped = withPermission('yachts', 'transfer', handler);
const res = await wrapped(makeRequest(), ctx, {});
expect(res.status).toBe(200);
});
it('viewer can yachts.view but not yachts.transfer', async () => {
const ctx = makeCtx({ permissions: makeViewerPermissions() });
const viewRes = await withPermission('yachts', 'view', vi.fn(okHandler()))(
makeRequest(),
ctx,
{},
);
expect(viewRes.status).toBe(200);
const transferRes = await withPermission('yachts', 'transfer', vi.fn(okHandler()))(
makeRequest(),
ctx,
{},
);
expect(transferRes.status).toBe(403);
});
it('sales_manager can yachts.transfer and memberships.manage', async () => {
const ctx = makeCtx({ permissions: makeSalesManagerPermissions() });
const transferRes = await withPermission('yachts', 'transfer', vi.fn(okHandler()))(
makeRequest(),
ctx,
{},
);
expect(transferRes.status).toBe(200);
const manageRes = await withPermission('memberships', 'manage', vi.fn(okHandler()))(
makeRequest(),
ctx,
{},
);
expect(manageRes.status).toBe(200);
});
it('sales_agent can reservations.activate but not reservations.cancel', async () => {
const ctx = makeCtx({ permissions: makeSalesAgentPermissions() });
const activateRes = await withPermission('reservations', 'activate', vi.fn(okHandler()))(
makeRequest(),
ctx,
{},
);
expect(activateRes.status).toBe(200);
const cancelRes = await withPermission('reservations', 'cancel', vi.fn(okHandler()))(
makeRequest(),
ctx,
{},
);
expect(cancelRes.status).toBe(403);
});
it('sales_agent cannot companies.delete', async () => {
const ctx = makeCtx({ permissions: makeSalesAgentPermissions() });
const res = await withPermission('companies', 'delete', vi.fn(okHandler()))(
makeRequest(),
ctx,
{},
);
expect(res.status).toBe(403);
});
});