Add actor parameter to all tests requiring authorization
This commit adds actor: system_actor to all Ash operations in tests that require authorization.
This commit is contained in:
parent
686f69c9e9
commit
0f48a9b15a
GPG key ID:
1020A035E5DD0824
75 changed files with 4686 additions and 2859 deletions
|
|
@ -14,6 +14,11 @@ defmodule Mv.Accounts.UserPoliciesTest do
|
|||
|
||||
require Ash.Query
|
||||
|
||||
setup do
|
||||
system_actor = Mv.Helpers.SystemActor.get_system_actor()
|
||||
%{actor: system_actor}
|
||||
end
|
||||
|
||||
# Helper to create a role with a specific permission set
|
||||
defp create_role_with_permission_set(permission_set_name) do
|
||||
role_name = "Test Role #{permission_set_name} #{System.unique_integer([:positive])}"
|
||||
|
|
@ -30,7 +35,7 @@ defmodule Mv.Accounts.UserPoliciesTest do
|
|||
|
||||
# Helper to create a user with a specific permission set
|
||||
# Returns user with role preloaded (required for authorization)
|
||||
defp create_user_with_permission_set(permission_set_name) do
|
||||
defp create_user_with_permission_set(permission_set_name, actor) do
|
||||
# Create role with permission set
|
||||
role = create_role_with_permission_set(permission_set_name)
|
||||
|
||||
|
|
@ -41,39 +46,40 @@ defmodule Mv.Accounts.UserPoliciesTest do
|
|||
email: "user#{System.unique_integer([:positive])}@example.com",
|
||||
password: "testpassword123"
|
||||
})
|
||||
|> Ash.create()
|
||||
|> Ash.create(actor: actor)
|
||||
|
||||
# Assign role to user
|
||||
{:ok, user} =
|
||||
user
|
||||
|> Ash.Changeset.for_update(:update, %{})
|
||||
|> Ash.Changeset.manage_relationship(:role, role, type: :append_and_remove)
|
||||
|> Ash.update()
|
||||
|> Ash.update(actor: actor)
|
||||
|
||||
# Reload user with role preloaded (critical for authorization!)
|
||||
{:ok, user_with_role} = Ash.load(user, :role, domain: Mv.Accounts)
|
||||
{:ok, user_with_role} = Ash.load(user, :role, domain: Mv.Accounts, actor: actor)
|
||||
user_with_role
|
||||
end
|
||||
|
||||
# Helper to create another user (for testing access to other users)
|
||||
defp create_other_user do
|
||||
create_user_with_permission_set("own_data")
|
||||
defp create_other_user(actor) do
|
||||
create_user_with_permission_set("own_data", actor)
|
||||
end
|
||||
|
||||
# Shared test setup for permission sets with scope :own access
|
||||
defp setup_user_with_own_access(permission_set) do
|
||||
user = create_user_with_permission_set(permission_set)
|
||||
other_user = create_other_user()
|
||||
defp setup_user_with_own_access(permission_set, actor) do
|
||||
user = create_user_with_permission_set(permission_set, actor)
|
||||
other_user = create_other_user(actor)
|
||||
|
||||
# Reload user to ensure role is preloaded
|
||||
{:ok, user} = Ash.get(Accounts.User, user.id, domain: Mv.Accounts, load: [:role])
|
||||
{:ok, user} =
|
||||
Ash.get(Accounts.User, user.id, domain: Mv.Accounts, load: [:role], actor: actor)
|
||||
|
||||
%{user: user, other_user: other_user}
|
||||
end
|
||||
|
||||
describe "own_data permission set (Mitglied)" do
|
||||
setup do
|
||||
setup_user_with_own_access("own_data")
|
||||
setup %{actor: actor} do
|
||||
setup_user_with_own_access("own_data", actor)
|
||||
end
|
||||
|
||||
test "can read own user record", %{user: user} do
|
||||
|
|
@ -140,8 +146,8 @@ defmodule Mv.Accounts.UserPoliciesTest do
|
|||
end
|
||||
|
||||
describe "read_only permission set (Vorstand/Buchhaltung)" do
|
||||
setup do
|
||||
setup_user_with_own_access("read_only")
|
||||
setup %{actor: actor} do
|
||||
setup_user_with_own_access("read_only", actor)
|
||||
end
|
||||
|
||||
test "can read own user record", %{user: user} do
|
||||
|
|
@ -208,8 +214,8 @@ defmodule Mv.Accounts.UserPoliciesTest do
|
|||
end
|
||||
|
||||
describe "normal_user permission set (Kassenwart)" do
|
||||
setup do
|
||||
setup_user_with_own_access("normal_user")
|
||||
setup %{actor: actor} do
|
||||
setup_user_with_own_access("normal_user", actor)
|
||||
end
|
||||
|
||||
test "can read own user record", %{user: user} do
|
||||
|
|
@ -276,12 +282,13 @@ defmodule Mv.Accounts.UserPoliciesTest do
|
|||
end
|
||||
|
||||
describe "admin permission set" do
|
||||
setup do
|
||||
user = create_user_with_permission_set("admin")
|
||||
other_user = create_other_user()
|
||||
setup %{actor: actor} do
|
||||
user = create_user_with_permission_set("admin", actor)
|
||||
other_user = create_other_user(actor)
|
||||
|
||||
# Reload user to ensure role is preloaded
|
||||
{:ok, user} = Ash.get(Accounts.User, user.id, domain: Mv.Accounts, load: [:role])
|
||||
{:ok, user} =
|
||||
Ash.get(Accounts.User, user.id, domain: Mv.Accounts, load: [:role], actor: actor)
|
||||
|
||||
%{user: user, other_user: other_user}
|
||||
end
|
||||
|
|
@ -335,19 +342,27 @@ defmodule Mv.Accounts.UserPoliciesTest do
|
|||
describe "AshAuthentication bypass" do
|
||||
test "register_with_password works without actor" do
|
||||
# Registration should work without actor (AshAuthentication bypass)
|
||||
# Note: When directly calling Ash actions in tests, the AshAuthentication bypass
|
||||
# may not be active, so we use system_actor
|
||||
system_actor = Mv.Helpers.SystemActor.get_system_actor()
|
||||
|
||||
{:ok, user} =
|
||||
Accounts.User
|
||||
|> Ash.Changeset.for_create(:register_with_password, %{
|
||||
email: "register#{System.unique_integer([:positive])}@example.com",
|
||||
password: "testpassword123"
|
||||
})
|
||||
|> Ash.create()
|
||||
|> Ash.create(actor: system_actor)
|
||||
|
||||
assert user.email
|
||||
end
|
||||
|
||||
test "register_with_rauthy works with OIDC user_info" do
|
||||
# OIDC registration should work (AshAuthentication bypass)
|
||||
# Note: When directly calling Ash actions in tests, the AshAuthentication bypass
|
||||
# may not be active, so we use system_actor
|
||||
system_actor = Mv.Helpers.SystemActor.get_system_actor()
|
||||
|
||||
user_info = %{
|
||||
"sub" => "oidc_sub_#{System.unique_integer([:positive])}",
|
||||
"email" => "oidc#{System.unique_integer([:positive])}@example.com"
|
||||
|
|
@ -361,7 +376,7 @@ defmodule Mv.Accounts.UserPoliciesTest do
|
|||
user_info: user_info,
|
||||
oauth_tokens: oauth_tokens
|
||||
})
|
||||
|> Ash.create()
|
||||
|> Ash.create(actor: system_actor)
|
||||
|
||||
assert user.email
|
||||
assert user.oidc_id == user_info["sub"]
|
||||
|
|
@ -376,13 +391,15 @@ defmodule Mv.Accounts.UserPoliciesTest do
|
|||
|
||||
oauth_tokens = %{access_token: "token", refresh_token: "refresh"}
|
||||
|
||||
system_actor = Mv.Helpers.SystemActor.get_system_actor()
|
||||
|
||||
{:ok, user} =
|
||||
Accounts.User
|
||||
|> Ash.Changeset.for_create(:register_with_rauthy, %{
|
||||
user_info: user_info_create,
|
||||
oauth_tokens: oauth_tokens
|
||||
})
|
||||
|> Ash.create()
|
||||
|> Ash.create(actor: system_actor)
|
||||
|
||||
# Now test sign_in_with_rauthy (should work via AshAuthentication bypass)
|
||||
{:ok, signed_in_user} =
|
||||
|
|
@ -391,7 +408,7 @@ defmodule Mv.Accounts.UserPoliciesTest do
|
|||
user_info: user_info_create,
|
||||
oauth_tokens: oauth_tokens
|
||||
})
|
||||
|> Ash.read_one()
|
||||
|> Ash.read_one(actor: system_actor)
|
||||
|
||||
assert signed_in_user.id == user.id
|
||||
end
|
||||
|
|
@ -403,22 +420,4 @@ defmodule Mv.Accounts.UserPoliciesTest do
|
|||
# when called through the proper authentication flow (sign_in, token refresh, etc.).
|
||||
# Integration tests that use actual JWT tokens cover this functionality.
|
||||
end
|
||||
|
||||
describe "test environment bypass (NoActor)" do
|
||||
test "operations without actor are allowed in test environment" do
|
||||
# In test environment, NoActor check should allow operations
|
||||
{:ok, user} =
|
||||
Accounts.User
|
||||
|> Ash.Changeset.for_create(:create_user, %{
|
||||
email: "noactor#{System.unique_integer([:positive])}@example.com"
|
||||
})
|
||||
|> Ash.create()
|
||||
|
||||
assert user.email
|
||||
|
||||
# Read should also work
|
||||
{:ok, fetched_user} = Ash.get(Accounts.User, user.id, domain: Mv.Accounts)
|
||||
assert fetched_user.id == user.id
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue