Krow/Krow-workspace
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
96056d0170d936cde3c4dbcd54596df8dd8f3ab7
Krow-workspace/backend/command-api/test/policy.test.js
zouantchaw a4ac0b2a6b fix(authz): tighten policy scope enforcement
2026-03-19 16:48:43 +01:00

87 lines
2.0 KiB
JavaScript
Raw Blame History

import test from 'node:test';
import assert from 'node:assert/strict';
import { can } from '../src/services/policy.js';
test('client actions require business scope and matching business id', async () => {
const allowed = await can(
'orders.create',
'order',
{
uid: 'user-1',
policyContext: {
user: { userId: 'user-1' },
tenant: { tenantId: 'tenant-1', role: 'MANAGER' },
business: { businessId: 'business-1' },
},
},
{ body: { tenantId: 'tenant-1', businessId: 'business-1' } }
);
const denied = await can(
'orders.create',
'order',
{
uid: 'user-1',
policyContext: {
user: { userId: 'user-1' },
tenant: { tenantId: 'tenant-1', role: 'MANAGER' },
business: { businessId: 'business-1' },
},
},
{ body: { tenantId: 'tenant-1', businessId: 'business-2' } }
);
assert.equal(allowed, true);
assert.equal(denied, false);
});
test('staff actions require staff scope', async () => {
const allowed = await can(
'shifts.accept',
'shift',
{
uid: 'user-1',
policyContext: {
user: { userId: 'user-1' },
tenant: { tenantId: 'tenant-1' },
staff: { staffId: 'staff-1', workforceId: 'workforce-1' },
},
},
{ body: { tenantId: 'tenant-1' } }
);
const denied = await can(
'shifts.accept',
'shift',
{
uid: 'user-1',
policyContext: {
user: { userId: 'user-1' },
tenant: { tenantId: 'tenant-1' },
business: { businessId: 'business-1' },
},
},
{ body: { tenantId: 'tenant-1' } }
);
assert.equal(allowed, true);
assert.equal(denied, false);
});
test('notifications.device.write allows tenant-scoped actor', async () => {
const allowed = await can(
'notifications.device.write',
'device',
{
uid: 'user-1',
policyContext: {
user: { userId: 'user-1' },
tenant: { tenantId: 'tenant-1' },
},
},
{ body: { tenantId: 'tenant-1' } }
);
assert.equal(allowed, true);
});
Reference in New Issue View Git Blame Copy Permalink