fix(authz): tighten policy scope enforcement
This commit is contained in:
zouantchaw
86
backend/command-api/test/policy.test.js
Normal file
86
backend/command-api/test/policy.test.js
Normal file
@@ -0,0 +1,86 @@
|
||||
import test from 'node:test';
|
||||
import assert from 'node:assert/strict';
|
||||
import { can } from '../src/services/policy.js';
|
||||
|
||||
test('client actions require business scope and matching business id', async () => {
|
||||
const allowed = await can(
|
||||
'orders.create',
|
||||
'order',
|
||||
{
|
||||
uid: 'user-1',
|
||||
policyContext: {
|
||||
user: { userId: 'user-1' },
|
||||
tenant: { tenantId: 'tenant-1', role: 'MANAGER' },
|
||||
business: { businessId: 'business-1' },
|
||||
},
|
||||
},
|
||||
{ body: { tenantId: 'tenant-1', businessId: 'business-1' } }
|
||||
);
|
||||
|
||||
const denied = await can(
|
||||
'orders.create',
|
||||
'order',
|
||||
{
|
||||
uid: 'user-1',
|
||||
policyContext: {
|
||||
user: { userId: 'user-1' },
|
||||
tenant: { tenantId: 'tenant-1', role: 'MANAGER' },
|
||||
business: { businessId: 'business-1' },
|
||||
},
|
||||
},
|
||||
{ body: { tenantId: 'tenant-1', businessId: 'business-2' } }
|
||||
);
|
||||
|
||||
assert.equal(allowed, true);
|
||||
assert.equal(denied, false);
|
||||
});
|
||||
|
||||
test('staff actions require staff scope', async () => {
|
||||
const allowed = await can(
|
||||
'shifts.accept',
|
||||
'shift',
|
||||
{
|
||||
uid: 'user-1',
|
||||
policyContext: {
|
||||
user: { userId: 'user-1' },
|
||||
tenant: { tenantId: 'tenant-1' },
|
||||
staff: { staffId: 'staff-1', workforceId: 'workforce-1' },
|
||||
},
|
||||
},
|
||||
{ body: { tenantId: 'tenant-1' } }
|
||||
);
|
||||
|
||||
const denied = await can(
|
||||
'shifts.accept',
|
||||
'shift',
|
||||
{
|
||||
uid: 'user-1',
|
||||
policyContext: {
|
||||
user: { userId: 'user-1' },
|
||||
tenant: { tenantId: 'tenant-1' },
|
||||
business: { businessId: 'business-1' },
|
||||
},
|
||||
},
|
||||
{ body: { tenantId: 'tenant-1' } }
|
||||
);
|
||||
|
||||
assert.equal(allowed, true);
|
||||
assert.equal(denied, false);
|
||||
});
|
||||
|
||||
test('notifications.device.write allows tenant-scoped actor', async () => {
|
||||
const allowed = await can(
|
||||
'notifications.device.write',
|
||||
'device',
|
||||
{
|
||||
uid: 'user-1',
|
||||
policyContext: {
|
||||
user: { userId: 'user-1' },
|
||||
tenant: { tenantId: 'tenant-1' },
|
||||
},
|
||||
},
|
||||
{ body: { tenantId: 'tenant-1' } }
|
||||
);
|
||||
|
||||
assert.equal(allowed, true);
|
||||
});
|
||||
Reference in New Issue
Block a user