letsbe/pn-new-crm
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
b6c27b506d951c9100aec95c25a681da9651aa89
pn-new-crm/tests/integration/permission-matrix.test.ts
Matt ccc775dc66 feat(tenancies-p2): rename berth_reservations → berth_tenancies (schema + perms + UI) 
73-file atomic rename per docs/tenancies-design.md:

- Migration 0085: rename table + indexes + FK constraints; rename
  documents.reservation_id → tenancy_id; migrate jsonb permission maps
  (reservations resource → tenancies; collapse create+activate → manage);
  rewrite historical audit_logs.entity_type='berth_reservation' →
  'berth_tenancy'. FK renames wrapped in DO blocks so dev DBs that pre-date
  the FK additions don't abort.
- Schema: berthReservations → berthTenancies; BerthReservation type →
  BerthTenancy; indexes idx_br_* / idx_brr_* → idx_bt_*.
- RolePermissions: resource { view, create, activate, cancel } collapses to
  { view, manage, cancel }; all 8 default seed bundles + role-form + matrix
  updated.
- Service: berth-reservations.service.ts → berth-tenancies.service.ts;
  endReservation → endTenancy; listReservations → listTenancies.
- API: /api/v1/berth-reservations → /api/v1/tenancies (+ nested [id]);
  /api/v1/berths/[id]/reservations → /api/v1/berths/[id]/tenancies.
- Validators: reservations.ts → tenancies.ts; RESERVATION_STATUSES →
  TENANCY_STATUSES; endReservationSchema → endTenancySchema.
- Routes: /{portSlug}/berth-reservations → /{portSlug}/tenancies;
  /portal/my-reservations → /portal/my-tenancies.
- Components: src/components/reservations/* → src/components/tenancies/*;
  BerthReservationsTab → BerthTenanciesTab; ClientReservationsTab →
  ClientTenanciesTab; ReservationList → TenancyList.
- Socket events: berth_reservation:* → berth_tenancy:*; payload
  reservationId → tenancyId.
- Webhook events: berth_reservation.* → berth_tenancy.*.
- Portal: getPortalUserReservations → getPortalUserTenancies;
  PortalReservation → PortalTenancy; PortalDashboard.counts.activeReservations
  → activeTenancies; PortalNav label "Reservations" → "Tenancies".
- Dossier: DossierReservation → DossierTenancy; reservationDecisions →
  tenancyDecisions across smart-archive-dialog + bulk-archive routes.
- Documents schema: documents.reservationId → documents.tenancyId
  (TS + DB column + index + FK constraint).
- Activity feed label berth_reservation → berth_tenancy (matched against
  migrated historical audit rows).

KEPT (separate concepts):
- Reservation Agreement document type (the contract sent to clients).
- "Reservation" pipeline stage name.
- {{reservation.*}} merge tokens in template authoring.
- interest.reservationStatus / reservationDocStatus / dateReservationSent
  fields (track agreement signing on the deal).
- reservation-agreement-context.ts service (builds merge context for the
  Reservation Agreement doc; only its DB imports were renamed).

Verified: tsc clean, 1480/1480 vitest passing, migration applied.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-25 15:09:35 +02:00

324 lines
12 KiB
TypeScript
Raw Blame History

/**
* Permission matrix tests.
*
* Tests the withPermission() guard logic directly using mock AuthContext values.
* These tests do NOT require a database and run always.
*
* Verifies:
* - super_admin bypasses all permission checks
* - viewer can read but not write
* - sales_agent can manage own clients/interests but not admin features
* - sales_manager has elevated but non-admin access
* - director has near-full access
* - deepMerge correctly applies port-level overrides
*/
import { describe, it, expect, vi } from 'vitest';
import { withPermission, deepMerge, type AuthContext } from '@/lib/api/helpers';
import {
makeViewerPermissions,
makeSalesAgentPermissions,
makeSalesManagerPermissions,
makeDirectorPermissions,
} from '../helpers/factories';
import type { RolePermissions } from '@/lib/db/schema/users';
import { NextRequest, NextResponse } from 'next/server';
// ─── Helpers ─────────────────────────────────────────────────────────────────
function makeCtx(overrides: Partial<AuthContext>): AuthContext {
return {
userId: 'user-1',
portId: 'port-1',
portSlug: 'test-port',
isSuperAdmin: false,
permissions: makeViewerPermissions(),
user: { email: 'test@example.com', name: 'Test User' },
ipAddress: '127.0.0.1',
userAgent: 'vitest/1.0',
...overrides,
};
}
/** Minimal NextRequest for testing permission guards. */
function makeRequest(): NextRequest {
return new NextRequest('http://localhost/api/test', { method: 'GET' });
}
/** Returns a handler that resolves to 200 OK. */
function okHandler() {
return vi.fn().mockResolvedValue(NextResponse.json({ ok: true }, { status: 200 }));
}
/**
* Invokes the withPermission guard and returns the response status.
*/
async function checkPermission(
ctx: AuthContext,
resource: keyof RolePermissions,
action: string,
): Promise<number> {
const handler = okHandler();
const guarded = withPermission(resource, action, handler);
const response = await guarded(makeRequest(), ctx, {});
return response.status;
}
// ─── super_admin ──────────────────────────────────────────────────────────────
describe('Permission Matrix - super_admin', () => {
const ctx = makeCtx({ isSuperAdmin: true, permissions: null });
it('can access clients.create', async () => {
expect(await checkPermission(ctx, 'clients', 'create')).toBe(200);
});
it('can access admin.manage_users', async () => {
expect(await checkPermission(ctx, 'admin', 'manage_users')).toBe(200);
});
it('can access admin.system_backup', async () => {
expect(await checkPermission(ctx, 'admin', 'system_backup')).toBe(200);
});
it('can access invoices.delete', async () => {
expect(await checkPermission(ctx, 'invoices', 'delete')).toBe(200);
});
});
// ─── viewer ───────────────────────────────────────────────────────────────────
describe('Permission Matrix - viewer', () => {
const ctx = makeCtx({ permissions: makeViewerPermissions() });
it('can view clients', async () => {
expect(await checkPermission(ctx, 'clients', 'view')).toBe(200);
});
it('cannot create clients', async () => {
expect(await checkPermission(ctx, 'clients', 'create')).toBe(403);
});
it('cannot update clients', async () => {
expect(await checkPermission(ctx, 'clients', 'edit')).toBe(403);
});
it('cannot delete clients', async () => {
expect(await checkPermission(ctx, 'clients', 'delete')).toBe(403);
});
it('cannot change interest stage', async () => {
expect(await checkPermission(ctx, 'interests', 'change_stage')).toBe(403);
});
it('cannot manage admin settings', async () => {
expect(await checkPermission(ctx, 'admin', 'manage_settings')).toBe(403);
});
it('cannot manage webhooks', async () => {
expect(await checkPermission(ctx, 'admin', 'manage_webhooks')).toBe(403);
});
});
// ─── sales_agent ─────────────────────────────────────────────────────────────
describe('Permission Matrix - sales_agent', () => {
const ctx = makeCtx({ permissions: makeSalesAgentPermissions() });
it('can view clients', async () => {
expect(await checkPermission(ctx, 'clients', 'view')).toBe(200);
});
it('can create clients', async () => {
expect(await checkPermission(ctx, 'clients', 'create')).toBe(200);
});
it('can edit clients', async () => {
expect(await checkPermission(ctx, 'clients', 'edit')).toBe(200);
});
it('cannot delete clients', async () => {
expect(await checkPermission(ctx, 'clients', 'delete')).toBe(403);
});
it('cannot merge clients', async () => {
expect(await checkPermission(ctx, 'clients', 'merge')).toBe(403);
});
it('can create interests', async () => {
expect(await checkPermission(ctx, 'interests', 'create')).toBe(200);
});
it('can change interest stage', async () => {
expect(await checkPermission(ctx, 'interests', 'change_stage')).toBe(200);
});
it('cannot manage admin users', async () => {
expect(await checkPermission(ctx, 'admin', 'manage_users')).toBe(403);
});
it('cannot manage webhooks', async () => {
expect(await checkPermission(ctx, 'admin', 'manage_webhooks')).toBe(403);
});
it('cannot configure email accounts', async () => {
expect(await checkPermission(ctx, 'email', 'configure_account')).toBe(403);
});
});
// ─── sales_manager ────────────────────────────────────────────────────────────
describe('Permission Matrix - sales_manager', () => {
const ctx = makeCtx({ permissions: makeSalesManagerPermissions() });
it('can do everything with clients', async () => {
for (const action of ['view', 'create', 'edit', 'delete', 'merge', 'export']) {
expect(await checkPermission(ctx, 'clients', action)).toBe(200);
}
});
it('can view audit log', async () => {
expect(await checkPermission(ctx, 'admin', 'view_audit_log')).toBe(200);
});
it('cannot manage webhooks', async () => {
expect(await checkPermission(ctx, 'admin', 'manage_webhooks')).toBe(403);
});
it('cannot manage system users', async () => {
expect(await checkPermission(ctx, 'admin', 'manage_users')).toBe(403);
});
});
// ─── director ─────────────────────────────────────────────────────────────────
describe('Permission Matrix - director', () => {
const ctx = makeCtx({ permissions: makeDirectorPermissions() });
it('can manage webhooks', async () => {
expect(await checkPermission(ctx, 'admin', 'manage_webhooks')).toBe(200);
});
it('can manage users', async () => {
expect(await checkPermission(ctx, 'admin', 'manage_users')).toBe(200);
});
it('cannot perform system_backup', async () => {
expect(await checkPermission(ctx, 'admin', 'system_backup')).toBe(403);
});
});
// ─── deepMerge ────────────────────────────────────────────────────────────────
describe('deepMerge - permission override merging', () => {
it('overrides a single leaf value', () => {
const base = { clients: { view: true, create: false } };
const override = { clients: { create: true } };
const result = deepMerge(base, override) as typeof base;
expect(result.clients.create).toBe(true);
expect(result.clients.view).toBe(true);
});
it('does not mutate the base object', () => {
const base = { a: { b: false } };
const override = { a: { b: true } };
deepMerge(base, override);
expect(base.a.b).toBe(false);
});
it('merges nested objects without removing unrelated keys', () => {
const base = { admin: { manage_users: false, view_audit_log: true } };
const override = { admin: { manage_users: true } };
const result = deepMerge(base, override) as typeof base;
expect(result.admin.manage_users).toBe(true);
expect(result.admin.view_audit_log).toBe(true);
});
it('override with full-permission block gives full access', () => {
const base = makeViewerPermissions() as Record<string, unknown>;
const override = {
clients: { create: true, edit: true, delete: true, merge: true, export: true },
};
const result = deepMerge(base, override) as RolePermissions;
expect(result.clients.create).toBe(true);
expect(result.clients.view).toBe(true); // preserved from base
});
it('handles non-object values (arrays stay as-is)', () => {
const base = { events: ['a', 'b'] };
const override = { events: ['c'] };
const result = deepMerge(base, override) as typeof base;
expect(result.events).toEqual(['c']);
});
});
// ─── new resources (yachts, companies, memberships, tenancies) ──────────────
describe('new resources (yachts, companies, memberships, tenancies)', () => {
it('super_admin bypasses all new resource permissions', async () => {
const ctx = makeCtx({ isSuperAdmin: true, permissions: null });
const handler = vi.fn(okHandler());
const wrapped = withPermission('yachts', 'transfer', handler);
const res = await wrapped(makeRequest(), ctx, {});
expect(res.status).toBe(200);
});
it('viewer can yachts.view but not yachts.transfer', async () => {
const ctx = makeCtx({ permissions: makeViewerPermissions() });
const viewRes = await withPermission('yachts', 'view', vi.fn(okHandler()))(
makeRequest(),
ctx,
{},
);
expect(viewRes.status).toBe(200);
const transferRes = await withPermission('yachts', 'transfer', vi.fn(okHandler()))(
makeRequest(),
ctx,
{},
);
expect(transferRes.status).toBe(403);
});
it('sales_manager can yachts.transfer and memberships.manage', async () => {
const ctx = makeCtx({ permissions: makeSalesManagerPermissions() });
const transferRes = await withPermission('yachts', 'transfer', vi.fn(okHandler()))(
makeRequest(),
ctx,
{},
);
expect(transferRes.status).toBe(200);
const manageRes = await withPermission('memberships', 'manage', vi.fn(okHandler()))(
makeRequest(),
ctx,
{},
);
expect(manageRes.status).toBe(200);
});
it('sales_agent can tenancies.manage but not tenancies.cancel', async () => {
const ctx = makeCtx({ permissions: makeSalesAgentPermissions() });
const manageRes = await withPermission('tenancies', 'manage', vi.fn(okHandler()))(
makeRequest(),
ctx,
{},
);
expect(manageRes.status).toBe(200);
const cancelRes = await withPermission('tenancies', 'cancel', vi.fn(okHandler()))(
makeRequest(),
ctx,
{},
);
expect(cancelRes.status).toBe(403);
});
it('sales_agent cannot companies.delete', async () => {
const ctx = makeCtx({ permissions: makeSalesAgentPermissions() });
const res = await withPermission('companies', 'delete', vi.fn(okHandler()))(
makeRequest(),
ctx,
{},
);
expect(res.status).toBe(403);
});
});
Reference in New Issue View Git Blame Copy Permalink