Krow/Krow-workspace
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
eff8bcce57fa2606ca3f73df0fa833b66ef1eff6
Krow-workspace/backend/query-api/test/policy.test.js
zouantchaw a4ac0b2a6b fix(authz): tighten policy scope enforcement
2026-03-19 16:48:43 +01:00

87 lines
2.0 KiB
JavaScript
Raw Blame History

import test from 'node:test';
import assert from 'node:assert/strict';
import { can } from '../src/services/policy.js';
test('orders.read requires client scope and matching tenant/business scope', async () => {
const allowed = await can(
'orders.read',
'order',
{
uid: 'user-1',
policyContext: {
user: { userId: 'user-1' },
tenant: { tenantId: 'tenant-1', role: 'MANAGER' },
business: { businessId: 'business-1' },
},
},
{ params: { tenantId: 'tenant-1' }, query: { businessId: 'business-1' } }
);
const denied = await can(
'orders.read',
'order',
{
uid: 'user-1',
policyContext: {
user: { userId: 'user-1' },
tenant: { tenantId: 'tenant-1', role: 'MANAGER' },
business: { businessId: 'business-1' },
},
},
{ params: { tenantId: 'tenant-2' }, query: { businessId: 'business-1' } }
);
assert.equal(allowed, true);
assert.equal(denied, false);
});
test('shifts.read requires staff scope', async () => {
const allowed = await can(
'shifts.read',
'shift',
{
uid: 'user-1',
policyContext: {
user: { userId: 'user-1' },
tenant: { tenantId: 'tenant-1' },
staff: { staffId: 'staff-1' },
},
},
{ params: {} }
);
const denied = await can(
'shifts.read',
'shift',
{
uid: 'user-1',
policyContext: {
user: { userId: 'user-1' },
tenant: { tenantId: 'tenant-1' },
business: { businessId: 'business-1' },
},
},
{ params: {} }
);
assert.equal(allowed, true);
assert.equal(denied, false);
});
test('attendance.read allows tenant-scoped actor', async () => {
const allowed = await can(
'attendance.read',
'attendance',
{
uid: 'user-1',
policyContext: {
user: { userId: 'user-1' },
tenant: { tenantId: 'tenant-1' },
},
},
{ params: { tenantId: 'tenant-1' } }
);
assert.equal(allowed, true);
});
Reference in New Issue View Git Blame Copy Permalink