90 lines
2.9 KiB
TypeScript
90 lines
2.9 KiB
TypeScript
import { ForbiddenException } from '@nestjs/common';
|
|
import { describe, expect, it, vi } from 'vitest';
|
|
import { ConversationsController } from '../conversations/conversations.controller.js';
|
|
import { MissionsController } from '../missions/missions.controller.js';
|
|
import { ProjectsController } from '../projects/projects.controller.js';
|
|
import { TasksController } from '../tasks/tasks.controller.js';
|
|
|
|
function createBrain() {
|
|
return {
|
|
conversations: {
|
|
findAll: vi.fn(),
|
|
findById: vi.fn(),
|
|
create: vi.fn(),
|
|
update: vi.fn(),
|
|
remove: vi.fn(),
|
|
findMessages: vi.fn(),
|
|
addMessage: vi.fn(),
|
|
},
|
|
projects: {
|
|
findAll: vi.fn(),
|
|
findById: vi.fn(),
|
|
create: vi.fn(),
|
|
update: vi.fn(),
|
|
remove: vi.fn(),
|
|
},
|
|
missions: {
|
|
findAll: vi.fn(),
|
|
findById: vi.fn(),
|
|
findByProject: vi.fn(),
|
|
create: vi.fn(),
|
|
update: vi.fn(),
|
|
remove: vi.fn(),
|
|
},
|
|
tasks: {
|
|
findAll: vi.fn(),
|
|
findById: vi.fn(),
|
|
findByProject: vi.fn(),
|
|
findByMission: vi.fn(),
|
|
findByStatus: vi.fn(),
|
|
create: vi.fn(),
|
|
update: vi.fn(),
|
|
remove: vi.fn(),
|
|
},
|
|
};
|
|
}
|
|
|
|
describe('Resource ownership checks', () => {
|
|
it('forbids access to another user conversation', async () => {
|
|
const brain = createBrain();
|
|
brain.conversations.findById.mockResolvedValue({ id: 'conv-1', userId: 'user-2' });
|
|
const controller = new ConversationsController(brain as never);
|
|
|
|
await expect(controller.findOne('conv-1', { id: 'user-1' })).rejects.toBeInstanceOf(
|
|
ForbiddenException,
|
|
);
|
|
});
|
|
|
|
it('forbids access to another user project', async () => {
|
|
const brain = createBrain();
|
|
brain.projects.findById.mockResolvedValue({ id: 'project-1', ownerId: 'user-2' });
|
|
const controller = new ProjectsController(brain as never);
|
|
|
|
await expect(controller.findOne('project-1', { id: 'user-1' })).rejects.toBeInstanceOf(
|
|
ForbiddenException,
|
|
);
|
|
});
|
|
|
|
it('forbids access to a mission owned by another project owner', async () => {
|
|
const brain = createBrain();
|
|
brain.missions.findById.mockResolvedValue({ id: 'mission-1', projectId: 'project-1' });
|
|
brain.projects.findById.mockResolvedValue({ id: 'project-1', ownerId: 'user-2' });
|
|
const controller = new MissionsController(brain as never);
|
|
|
|
await expect(controller.findOne('mission-1', { id: 'user-1' })).rejects.toBeInstanceOf(
|
|
ForbiddenException,
|
|
);
|
|
});
|
|
|
|
it('forbids access to a task owned by another project owner', async () => {
|
|
const brain = createBrain();
|
|
brain.tasks.findById.mockResolvedValue({ id: 'task-1', projectId: 'project-1' });
|
|
brain.projects.findById.mockResolvedValue({ id: 'project-1', ownerId: 'user-2' });
|
|
const controller = new TasksController(brain as never);
|
|
|
|
await expect(controller.findOne('task-1', { id: 'user-1' })).rejects.toBeInstanceOf(
|
|
ForbiddenException,
|
|
);
|
|
});
|
|
});
|