fix(authz): tighten policy scope enforcement
This commit is contained in:
zouantchaw
86
backend/query-api/test/policy.test.js
Normal file
86
backend/query-api/test/policy.test.js
Normal file
@@ -0,0 +1,86 @@
|
||||
import test from 'node:test';
|
||||
import assert from 'node:assert/strict';
|
||||
import { can } from '../src/services/policy.js';
|
||||
|
||||
test('orders.read requires client scope and matching tenant/business scope', async () => {
|
||||
const allowed = await can(
|
||||
'orders.read',
|
||||
'order',
|
||||
{
|
||||
uid: 'user-1',
|
||||
policyContext: {
|
||||
user: { userId: 'user-1' },
|
||||
tenant: { tenantId: 'tenant-1', role: 'MANAGER' },
|
||||
business: { businessId: 'business-1' },
|
||||
},
|
||||
},
|
||||
{ params: { tenantId: 'tenant-1' }, query: { businessId: 'business-1' } }
|
||||
);
|
||||
|
||||
const denied = await can(
|
||||
'orders.read',
|
||||
'order',
|
||||
{
|
||||
uid: 'user-1',
|
||||
policyContext: {
|
||||
user: { userId: 'user-1' },
|
||||
tenant: { tenantId: 'tenant-1', role: 'MANAGER' },
|
||||
business: { businessId: 'business-1' },
|
||||
},
|
||||
},
|
||||
{ params: { tenantId: 'tenant-2' }, query: { businessId: 'business-1' } }
|
||||
);
|
||||
|
||||
assert.equal(allowed, true);
|
||||
assert.equal(denied, false);
|
||||
});
|
||||
|
||||
test('shifts.read requires staff scope', async () => {
|
||||
const allowed = await can(
|
||||
'shifts.read',
|
||||
'shift',
|
||||
{
|
||||
uid: 'user-1',
|
||||
policyContext: {
|
||||
user: { userId: 'user-1' },
|
||||
tenant: { tenantId: 'tenant-1' },
|
||||
staff: { staffId: 'staff-1' },
|
||||
},
|
||||
},
|
||||
{ params: {} }
|
||||
);
|
||||
|
||||
const denied = await can(
|
||||
'shifts.read',
|
||||
'shift',
|
||||
{
|
||||
uid: 'user-1',
|
||||
policyContext: {
|
||||
user: { userId: 'user-1' },
|
||||
tenant: { tenantId: 'tenant-1' },
|
||||
business: { businessId: 'business-1' },
|
||||
},
|
||||
},
|
||||
{ params: {} }
|
||||
);
|
||||
|
||||
assert.equal(allowed, true);
|
||||
assert.equal(denied, false);
|
||||
});
|
||||
|
||||
test('attendance.read allows tenant-scoped actor', async () => {
|
||||
const allowed = await can(
|
||||
'attendance.read',
|
||||
'attendance',
|
||||
{
|
||||
uid: 'user-1',
|
||||
policyContext: {
|
||||
user: { userId: 'user-1' },
|
||||
tenant: { tenantId: 'tenant-1' },
|
||||
},
|
||||
},
|
||||
{ params: { tenantId: 'tenant-1' } }
|
||||
);
|
||||
|
||||
assert.equal(allowed, true);
|
||||
});
|
||||
Reference in New Issue
Block a user