/** * Permission matrix tests. * * Tests the withPermission() guard logic directly using mock AuthContext values. * These tests do NOT require a database and run always. * * Verifies: * - super_admin bypasses all permission checks * - viewer can read but not write * - sales_agent can manage own clients/interests but not admin features * - sales_manager has elevated but non-admin access * - director has near-full access * - deepMerge correctly applies port-level overrides */ import { describe, it, expect, vi } from 'vitest'; import { withPermission, deepMerge, type AuthContext } from '@/lib/api/helpers'; import { makeViewerPermissions, makeSalesAgentPermissions, makeSalesManagerPermissions, makeDirectorPermissions, } from '../helpers/factories'; import type { RolePermissions } from '@/lib/db/schema/users'; import { NextRequest, NextResponse } from 'next/server'; // ─── Helpers ───────────────────────────────────────────────────────────────── function makeCtx(overrides: Partial): AuthContext { return { userId: 'user-1', portId: 'port-1', portSlug: 'test-port', isSuperAdmin: false, permissions: makeViewerPermissions(), user: { email: 'test@example.com', name: 'Test User' }, ipAddress: '127.0.0.1', userAgent: 'vitest/1.0', ...overrides, }; } /** Minimal NextRequest for testing permission guards. */ function makeRequest(): NextRequest { return new NextRequest('http://localhost/api/test', { method: 'GET' }); } /** Returns a handler that resolves to 200 OK. */ function okHandler() { return vi.fn().mockResolvedValue(NextResponse.json({ ok: true }, { status: 200 })); } /** * Invokes the withPermission guard and returns the response status. */ async function checkPermission( ctx: AuthContext, resource: keyof RolePermissions, action: string, ): Promise { const handler = okHandler(); const guarded = withPermission(resource, action, handler); const response = await guarded(makeRequest(), ctx, {}); return response.status; } // ─── super_admin ────────────────────────────────────────────────────────────── describe('Permission Matrix — super_admin', () => { const ctx = makeCtx({ isSuperAdmin: true, permissions: null }); it('can access clients.create', async () => { expect(await checkPermission(ctx, 'clients', 'create')).toBe(200); }); it('can access admin.manage_users', async () => { expect(await checkPermission(ctx, 'admin', 'manage_users')).toBe(200); }); it('can access admin.system_backup', async () => { expect(await checkPermission(ctx, 'admin', 'system_backup')).toBe(200); }); it('can access invoices.delete', async () => { expect(await checkPermission(ctx, 'invoices', 'delete')).toBe(200); }); }); // ─── viewer ─────────────────────────────────────────────────────────────────── describe('Permission Matrix — viewer', () => { const ctx = makeCtx({ permissions: makeViewerPermissions() }); it('can view clients', async () => { expect(await checkPermission(ctx, 'clients', 'view')).toBe(200); }); it('cannot create clients', async () => { expect(await checkPermission(ctx, 'clients', 'create')).toBe(403); }); it('cannot update clients', async () => { expect(await checkPermission(ctx, 'clients', 'edit')).toBe(403); }); it('cannot delete clients', async () => { expect(await checkPermission(ctx, 'clients', 'delete')).toBe(403); }); it('cannot change interest stage', async () => { expect(await checkPermission(ctx, 'interests', 'change_stage')).toBe(403); }); it('cannot manage admin settings', async () => { expect(await checkPermission(ctx, 'admin', 'manage_settings')).toBe(403); }); it('cannot manage webhooks', async () => { expect(await checkPermission(ctx, 'admin', 'manage_webhooks')).toBe(403); }); }); // ─── sales_agent ───────────────────────────────────────────────────────────── describe('Permission Matrix — sales_agent', () => { const ctx = makeCtx({ permissions: makeSalesAgentPermissions() }); it('can view clients', async () => { expect(await checkPermission(ctx, 'clients', 'view')).toBe(200); }); it('can create clients', async () => { expect(await checkPermission(ctx, 'clients', 'create')).toBe(200); }); it('can edit clients', async () => { expect(await checkPermission(ctx, 'clients', 'edit')).toBe(200); }); it('cannot delete clients', async () => { expect(await checkPermission(ctx, 'clients', 'delete')).toBe(403); }); it('cannot merge clients', async () => { expect(await checkPermission(ctx, 'clients', 'merge')).toBe(403); }); it('can create interests', async () => { expect(await checkPermission(ctx, 'interests', 'create')).toBe(200); }); it('can change interest stage', async () => { expect(await checkPermission(ctx, 'interests', 'change_stage')).toBe(200); }); it('cannot manage admin users', async () => { expect(await checkPermission(ctx, 'admin', 'manage_users')).toBe(403); }); it('cannot manage webhooks', async () => { expect(await checkPermission(ctx, 'admin', 'manage_webhooks')).toBe(403); }); it('cannot configure email accounts', async () => { expect(await checkPermission(ctx, 'email', 'configure_account')).toBe(403); }); }); // ─── sales_manager ──────────────────────────────────────────────────────────── describe('Permission Matrix — sales_manager', () => { const ctx = makeCtx({ permissions: makeSalesManagerPermissions() }); it('can do everything with clients', async () => { for (const action of ['view', 'create', 'edit', 'delete', 'merge', 'export']) { expect(await checkPermission(ctx, 'clients', action)).toBe(200); } }); it('can view audit log', async () => { expect(await checkPermission(ctx, 'admin', 'view_audit_log')).toBe(200); }); it('cannot manage webhooks', async () => { expect(await checkPermission(ctx, 'admin', 'manage_webhooks')).toBe(403); }); it('cannot manage system users', async () => { expect(await checkPermission(ctx, 'admin', 'manage_users')).toBe(403); }); }); // ─── director ───────────────────────────────────────────────────────────────── describe('Permission Matrix — director', () => { const ctx = makeCtx({ permissions: makeDirectorPermissions() }); it('can manage webhooks', async () => { expect(await checkPermission(ctx, 'admin', 'manage_webhooks')).toBe(200); }); it('can manage users', async () => { expect(await checkPermission(ctx, 'admin', 'manage_users')).toBe(200); }); it('cannot perform system_backup', async () => { expect(await checkPermission(ctx, 'admin', 'system_backup')).toBe(403); }); }); // ─── deepMerge ──────────────────────────────────────────────────────────────── describe('deepMerge — permission override merging', () => { it('overrides a single leaf value', () => { const base = { clients: { view: true, create: false } }; const override = { clients: { create: true } }; const result = deepMerge(base, override) as typeof base; expect(result.clients.create).toBe(true); expect(result.clients.view).toBe(true); }); it('does not mutate the base object', () => { const base = { a: { b: false } }; const override = { a: { b: true } }; deepMerge(base, override); expect(base.a.b).toBe(false); }); it('merges nested objects without removing unrelated keys', () => { const base = { admin: { manage_users: false, view_audit_log: true } }; const override = { admin: { manage_users: true } }; const result = deepMerge(base, override) as typeof base; expect(result.admin.manage_users).toBe(true); expect(result.admin.view_audit_log).toBe(true); }); it('override with full-permission block gives full access', () => { const base = makeViewerPermissions() as Record; const override = { clients: { create: true, edit: true, delete: true, merge: true, export: true }, }; const result = deepMerge(base, override) as RolePermissions; expect(result.clients.create).toBe(true); expect(result.clients.view).toBe(true); // preserved from base }); it('handles non-object values (arrays stay as-is)', () => { const base = { events: ['a', 'b'] }; const override = { events: ['c'] }; const result = deepMerge(base, override) as typeof base; expect(result.events).toEqual(['c']); }); }); // ─── new resources (yachts, companies, memberships, reservations) ──────────── describe('new resources (yachts, companies, memberships, reservations)', () => { it('super_admin bypasses all new resource permissions', async () => { const ctx = makeCtx({ isSuperAdmin: true, permissions: null }); const handler = vi.fn(okHandler()); const wrapped = withPermission('yachts', 'transfer', handler); const res = await wrapped(makeRequest(), ctx, {}); expect(res.status).toBe(200); }); it('viewer can yachts.view but not yachts.transfer', async () => { const ctx = makeCtx({ permissions: makeViewerPermissions() }); const viewRes = await withPermission('yachts', 'view', vi.fn(okHandler()))( makeRequest(), ctx, {}, ); expect(viewRes.status).toBe(200); const transferRes = await withPermission('yachts', 'transfer', vi.fn(okHandler()))( makeRequest(), ctx, {}, ); expect(transferRes.status).toBe(403); }); it('sales_manager can yachts.transfer and memberships.manage', async () => { const ctx = makeCtx({ permissions: makeSalesManagerPermissions() }); const transferRes = await withPermission('yachts', 'transfer', vi.fn(okHandler()))( makeRequest(), ctx, {}, ); expect(transferRes.status).toBe(200); const manageRes = await withPermission('memberships', 'manage', vi.fn(okHandler()))( makeRequest(), ctx, {}, ); expect(manageRes.status).toBe(200); }); it('sales_agent can reservations.activate but not reservations.cancel', async () => { const ctx = makeCtx({ permissions: makeSalesAgentPermissions() }); const activateRes = await withPermission('reservations', 'activate', vi.fn(okHandler()))( makeRequest(), ctx, {}, ); expect(activateRes.status).toBe(200); const cancelRes = await withPermission('reservations', 'cancel', vi.fn(okHandler()))( makeRequest(), ctx, {}, ); expect(cancelRes.status).toBe(403); }); it('sales_agent cannot companies.delete', async () => { const ctx = makeCtx({ permissions: makeSalesAgentPermissions() }); const res = await withPermission('companies', 'delete', vi.fn(okHandler()))( makeRequest(), ctx, {}, ); expect(res.status).toBe(403); }); });