letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
3f9c4589e048c4af9de0cf3f2b1df08457baf420
pn-new-crm/tests/integration/api/saved-views-ownership.test.ts
Matt 221ae5784e chore(autonomous-session): consolidate uncommitted work from prior session 
Bundles the prior autonomous-session output that was sitting unstaged:

- Em-dash sweep across src/ + tests/ (en-dash/em-dash to hyphen, ~2280 instances)
- country-flag-icons rollout (CountryFlag component, replaces emoji glyphs that
  never rendered on Windows; lazy-loads the 3x2 SVG index as a single chunk
  after the per-subpath dynamic-import approach silently failed in webpack)
- Admin IA Phase 1+2: 7-domain regroup, 41 to 38 pages, /admin/berths index,
  redirects (ocr to ai, reports to dashboard, invitations to users),
  docs/admin-ia-proposal.md
- Per-template email tester (registry + endpoint + UI on Email admin page)
- Cancel-document mode picker (delete-from-Documenso vs keep-for-audit)
- Dashboard PDF report: 25 widgets, SVG charts, date-range picker, 11 resolvers
- Customize-widgets per-region sortables at xl+ (charts/rails/feed); single
  flat sortable below xl when the layout stacks; per-viewport saved orders
- Audit doc updates capturing each shipped item
- Lint fixes: react-compiler immutability in DonutChart (reduce instead of
  let-reassign), set-state-in-effect disables in CountryFlag and
  UploadForSigning preview-bytes effect, unused 'confirm' destructures in
  interest contract + reservation tabs, unescaped apostrophe in test-template
  card copy
2026-05-23 00:52:59 +02:00

127 lines
4.2 KiB
TypeScript
Raw Blame History

/**
* Saved-views ownership enforcement - locks in the 403/404 split shipped
* in fix(auth). The route handlers preflight `assertViewOwner` BEFORE the
* service call, so even if the service's internal userId filter is later
* refactored, the route still rejects cross-user mutations.
*/
import { describe, it, expect, beforeAll } from 'vitest';
import { db } from '@/lib/db';
import { savedViewsService } from '@/lib/services/saved-views.service';
import { patchHandler, deleteHandler } from '@/app/api/v1/saved-views/[id]/handlers';
import { makeMockCtx, makeMockRequest } from '../../helpers/route-tester';
import { makePort } from '../../helpers/factories';
describe('saved-views ownership enforcement', () => {
let portId: string;
let viewId: string;
const ownerUserId = 'user-owner';
const otherUserId = 'user-other';
beforeAll(async () => {
const port = await makePort();
portId = port.id;
const view = await savedViewsService.create(portId, ownerUserId, {
entityType: 'clients',
name: 'Hot leads',
filters: { stage: 'hot_lead' } as Record<string, unknown>,
isShared: false,
isDefault: false,
});
if (!view) throw new Error('seed view failed');
viewId = view.id;
});
it('PATCH from owner: 200', async () => {
const ctx = makeMockCtx({ portId, userId: ownerUserId });
const res = await patchHandler(
makeMockRequest('PATCH', `http://localhost/api/v1/saved-views/${viewId}`, {
body: { name: 'Renamed by owner' },
}),
ctx,
{ id: viewId },
);
expect(res.status).toBe(200);
const body = (await res.json()) as any;
expect(body.data.name).toBe('Renamed by owner');
});
it('PATCH from a different user: 403 (not 404)', async () => {
const ctx = makeMockCtx({ portId, userId: otherUserId });
const res = await patchHandler(
makeMockRequest('PATCH', `http://localhost/api/v1/saved-views/${viewId}`, {
body: { name: 'Hostile rename' },
}),
ctx,
{ id: viewId },
);
expect(res.status).toBe(403);
// Verify the row was not mutated.
const row = await db.query.savedViews.findFirst({
where: (sv, { eq }) => eq(sv.id, viewId),
});
expect(row?.name).toBe('Renamed by owner');
});
it('DELETE from a different user: 403 and view still exists', async () => {
const ctx = makeMockCtx({ portId, userId: otherUserId });
const res = await deleteHandler(
makeMockRequest('DELETE', `http://localhost/api/v1/saved-views/${viewId}`),
ctx,
{ id: viewId },
);
expect(res.status).toBe(403);
const row = await db.query.savedViews.findFirst({
where: (sv, { eq }) => eq(sv.id, viewId),
});
expect(row).toBeTruthy();
});
it('PATCH on a non-existent id: 404', async () => {
const ctx = makeMockCtx({ portId, userId: ownerUserId });
const res = await patchHandler(
makeMockRequest(
'PATCH',
'http://localhost/api/v1/saved-views/00000000-0000-0000-0000-000000000000',
{ body: { name: 'no-op' } },
),
ctx,
{ id: '00000000-0000-0000-0000-000000000000' },
);
expect(res.status).toBe(404);
});
it('PATCH on a view in a different port: 404 (cross-port enumeration is blocked)', async () => {
// The view exists in `portId` but the auth context says we're operating
// in a different port. The lookup is scoped to `(id, portId)` so the row
// is invisible - should 404, not 403.
const otherPort = await makePort();
const ctx = makeMockCtx({ portId: otherPort.id, userId: ownerUserId });
const res = await patchHandler(
makeMockRequest('PATCH', `http://localhost/api/v1/saved-views/${viewId}`, {
body: { name: 'cross-port attempt' },
}),
ctx,
{ id: viewId },
);
expect(res.status).toBe(404);
});
it('DELETE from owner: 200 and view is gone', async () => {
const ctx = makeMockCtx({ portId, userId: ownerUserId });
const res = await deleteHandler(
makeMockRequest('DELETE', `http://localhost/api/v1/saved-views/${viewId}`),
ctx,
{ id: viewId },
);
expect(res.status).toBe(200);
const row = await db.query.savedViews.findFirst({
where: (sv, { eq }) => eq(sv.id, viewId),
});
expect(row).toBeUndefined();
});
});
Reference in New Issue View Git Blame Copy Permalink