letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
037f2544e8cd79b697042aaedf8e008a7c510cf6
pn-new-crm/tests/integration/permission-matrix.test.ts
Matt 67d7e6e3d5
Some checks failed
Build & Push Docker Images / build-and-push (push) Has been cancelled
Details
Build & Push Docker Images / deploy (push) Has been cancelled
Details
Build & Push Docker Images / lint (push) Has been cancelled
Details
Initial commit: Port Nimara CRM (Layers 0-4) 
Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM,
PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source
files covering clients, berths, interests/pipeline, documents/EOI,
expenses/invoices, email, notifications, dashboard, admin, and
client portal. CI/CD via Gitea Actions with Docker builds.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 11:52:51 +01:00

253 lines
9.2 KiB
TypeScript
Raw Blame History

/**
* Permission matrix tests.
*
* Tests the withPermission() guard logic directly using mock AuthContext values.
* These tests do NOT require a database and run always.
*
* Verifies:
* - super_admin bypasses all permission checks
* - viewer can read but not write
* - sales_agent can manage own clients/interests but not admin features
* - sales_manager has elevated but non-admin access
* - director has near-full access
* - deepMerge correctly applies port-level overrides
*/
import { describe, it, expect, vi } from 'vitest';
import { withPermission, deepMerge, type AuthContext } from '@/lib/api/helpers';
import {
makeFullPermissions,
makeViewerPermissions,
makeSalesAgentPermissions,
makeSalesManagerPermissions,
makeDirectorPermissions,
} from '../helpers/factories';
import type { RolePermissions } from '@/lib/db/schema/users';
import { NextRequest, NextResponse } from 'next/server';
// ─── Helpers ─────────────────────────────────────────────────────────────────
function makeCtx(overrides: Partial<AuthContext>): AuthContext {
return {
userId: 'user-1',
portId: 'port-1',
portSlug: 'test-port',
isSuperAdmin: false,
permissions: makeViewerPermissions(),
user: { email: 'test@example.com', name: 'Test User' },
ipAddress: '127.0.0.1',
userAgent: 'vitest/1.0',
...overrides,
};
}
/** Minimal NextRequest for testing permission guards. */
function makeRequest(): NextRequest {
return new NextRequest('http://localhost/api/test', { method: 'GET' });
}
/** Returns a handler that resolves to 200 OK. */
function okHandler() {
return vi.fn().mockResolvedValue(NextResponse.json({ ok: true }, { status: 200 }));
}
/**
* Invokes the withPermission guard and returns the response status.
*/
async function checkPermission(
ctx: AuthContext,
resource: keyof RolePermissions,
action: string,
): Promise<number> {
const handler = okHandler();
const guarded = withPermission(resource, action, handler);
const response = await guarded(makeRequest(), ctx, {});
return response.status;
}
// ─── super_admin ──────────────────────────────────────────────────────────────
describe('Permission Matrix — super_admin', () => {
const ctx = makeCtx({ isSuperAdmin: true, permissions: null });
it('can access clients.create', async () => {
expect(await checkPermission(ctx, 'clients', 'create')).toBe(200);
});
it('can access admin.manage_users', async () => {
expect(await checkPermission(ctx, 'admin', 'manage_users')).toBe(200);
});
it('can access admin.system_backup', async () => {
expect(await checkPermission(ctx, 'admin', 'system_backup')).toBe(200);
});
it('can access invoices.delete', async () => {
expect(await checkPermission(ctx, 'invoices', 'delete')).toBe(200);
});
});
// ─── viewer ───────────────────────────────────────────────────────────────────
describe('Permission Matrix — viewer', () => {
const ctx = makeCtx({ permissions: makeViewerPermissions() });
it('can view clients', async () => {
expect(await checkPermission(ctx, 'clients', 'view')).toBe(200);
});
it('cannot create clients', async () => {
expect(await checkPermission(ctx, 'clients', 'create')).toBe(403);
});
it('cannot update clients', async () => {
expect(await checkPermission(ctx, 'clients', 'edit')).toBe(403);
});
it('cannot delete clients', async () => {
expect(await checkPermission(ctx, 'clients', 'delete')).toBe(403);
});
it('cannot change interest stage', async () => {
expect(await checkPermission(ctx, 'interests', 'change_stage')).toBe(403);
});
it('cannot manage admin settings', async () => {
expect(await checkPermission(ctx, 'admin', 'manage_settings')).toBe(403);
});
it('cannot manage webhooks', async () => {
expect(await checkPermission(ctx, 'admin', 'manage_webhooks')).toBe(403);
});
});
// ─── sales_agent ─────────────────────────────────────────────────────────────
describe('Permission Matrix — sales_agent', () => {
const ctx = makeCtx({ permissions: makeSalesAgentPermissions() });
it('can view clients', async () => {
expect(await checkPermission(ctx, 'clients', 'view')).toBe(200);
});
it('can create clients', async () => {
expect(await checkPermission(ctx, 'clients', 'create')).toBe(200);
});
it('can edit clients', async () => {
expect(await checkPermission(ctx, 'clients', 'edit')).toBe(200);
});
it('cannot delete clients', async () => {
expect(await checkPermission(ctx, 'clients', 'delete')).toBe(403);
});
it('cannot merge clients', async () => {
expect(await checkPermission(ctx, 'clients', 'merge')).toBe(403);
});
it('can create interests', async () => {
expect(await checkPermission(ctx, 'interests', 'create')).toBe(200);
});
it('can change interest stage', async () => {
expect(await checkPermission(ctx, 'interests', 'change_stage')).toBe(200);
});
it('cannot manage admin users', async () => {
expect(await checkPermission(ctx, 'admin', 'manage_users')).toBe(403);
});
it('cannot manage webhooks', async () => {
expect(await checkPermission(ctx, 'admin', 'manage_webhooks')).toBe(403);
});
it('cannot configure email accounts', async () => {
expect(await checkPermission(ctx, 'email', 'configure_account')).toBe(403);
});
});
// ─── sales_manager ────────────────────────────────────────────────────────────
describe('Permission Matrix — sales_manager', () => {
const ctx = makeCtx({ permissions: makeSalesManagerPermissions() });
it('can do everything with clients', async () => {
for (const action of ['view', 'create', 'edit', 'delete', 'merge', 'export']) {
expect(await checkPermission(ctx, 'clients', action)).toBe(200);
}
});
it('can view audit log', async () => {
expect(await checkPermission(ctx, 'admin', 'view_audit_log')).toBe(200);
});
it('cannot manage webhooks', async () => {
expect(await checkPermission(ctx, 'admin', 'manage_webhooks')).toBe(403);
});
it('cannot manage system users', async () => {
expect(await checkPermission(ctx, 'admin', 'manage_users')).toBe(403);
});
});
// ─── director ─────────────────────────────────────────────────────────────────
describe('Permission Matrix — director', () => {
const ctx = makeCtx({ permissions: makeDirectorPermissions() });
it('can manage webhooks', async () => {
expect(await checkPermission(ctx, 'admin', 'manage_webhooks')).toBe(200);
});
it('can manage users', async () => {
expect(await checkPermission(ctx, 'admin', 'manage_users')).toBe(200);
});
it('cannot perform system_backup', async () => {
expect(await checkPermission(ctx, 'admin', 'system_backup')).toBe(403);
});
});
// ─── deepMerge ────────────────────────────────────────────────────────────────
describe('deepMerge — permission override merging', () => {
it('overrides a single leaf value', () => {
const base = { clients: { view: true, create: false } };
const override = { clients: { create: true } };
const result = deepMerge(base, override) as typeof base;
expect(result.clients.create).toBe(true);
expect(result.clients.view).toBe(true);
});
it('does not mutate the base object', () => {
const base = { a: { b: false } };
const override = { a: { b: true } };
deepMerge(base, override);
expect(base.a.b).toBe(false);
});
it('merges nested objects without removing unrelated keys', () => {
const base = { admin: { manage_users: false, view_audit_log: true } };
const override = { admin: { manage_users: true } };
const result = deepMerge(base, override) as typeof base;
expect(result.admin.manage_users).toBe(true);
expect(result.admin.view_audit_log).toBe(true);
});
it('override with full-permission block gives full access', () => {
const base = makeViewerPermissions() as Record<string, unknown>;
const override = { clients: { create: true, edit: true, delete: true, merge: true, export: true } };
const result = deepMerge(base, override) as RolePermissions;
expect(result.clients.create).toBe(true);
expect(result.clients.view).toBe(true); // preserved from base
});
it('handles non-object values (arrays stay as-is)', () => {
const base = { events: ['a', 'b'] };
const override = { events: ['c'] };
const result = deepMerge(base, override) as typeof base;
expect(result.events).toEqual(['c']);
});
});
Reference in New Issue View Git Blame Copy Permalink